Legislature(2007 - 2008)BUTROVICH 205
03/29/2008 09:00 AM Senate JUDICIARY
| Audio | Topic |
|---|---|
| Start | |
| HB65 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| + | HB 65 | TELECONFERENCED | |
| + | TELECONFERENCED |
HB 65-PERSONAL INFORMATION & CONSUMER CREDIT
9:05:26 AM
CHAIR FRENCH announced the consideration of HB 65.
REPRESENTATIVE JOHN COGHILL said he is sponsoring HB 65 for the
consumer protection elements it provides. People need protection
from having their personal information used against themselves,
but at the same time there's need for commerce. People need to
work with industry to borrow for houses and cars and to get
credit, but their information must be secure. This bill works
with a range of individuals, including the consumer, on how to
protect valuable personal information from being used for
illegal commerce purposes. It sets out a framework to work with
the federal laws that have been enacted for consumer protection.
HB 65 is a new section of law and has seven articles.
9:08:04 AM
REPRESENTATIVE COGHILL relayed that the first deals with what
constitutes a breach of security involving personal information.
It describes the breach, notification of the breach, and the
personal information. Next is the credit report and credit score
freeze. It describes how a person who feels their information
has been compromised is able to freeze their credit and stop bad
actors. A somewhat ticklish area involves insurance companies
that want to look at credit scoring during a credit freeze. That
is something he has resisted, he said. The next article
addresses the protection of social security numbers since they
have become a person's de facto pin number. He doesn't think
they were intended to be use that way, but that's the way it is.
This provision is as stringent as any law in the U.S., but it's
workable. Several issues on the topic will probably come up
today, he said.
9:09:41 AM
Senator McGuire and Senator Therriault joined the meeting.
REPRESENTATIVE COGHILL explained that Article 5 deals with
factual declarations of innocence after identity theft.
Generally a person is considered innocent until proven guilty,
but in identity theft situations a person is considered guilty
until he or she can prove innocence. That's an unusual
circumstance. Describing it as a step in the right direction, he
suggested the committee give this provision particular
attention.
Article 6 relates to truncation of credit card information. It
asks that just the last four numbers on a credit card be used in
any transaction. Hand written and manual machine receipts are
excepted. He said that might be a concern for those who have a
point of sale issue, but he thinks HB 65 covers that. Article 7
has general provisions dealing with definitions and gives a
title to the bill. He asked the Chair how he wanted to proceed.
CHAIR FRENCH said his view is that large portions of the bill
have been agreed upon, and he would like to concentrate on the
areas that are controversial.
REPRESENTATIVE COGHILL acknowledged that the notification issues
and dealing with the social security number will be contentious.
9:12:37 AM
CHAIR FRENCH said he will let people testify and zero in on
portions of the bill as concerns arise.
SENATOR THERRIAULT noted that page 2, subsection (c), in the
disclosure of breach section, talks about "after an appropriate
investigation or after consultation with relevant agencies." His
concern is with the "or" on line 19. There's a choice and it
seems like any company would always choose to do a self
investigation to determine if there's been a breach. He isn't
sure why an information collector would ever consult a state or
federal entity. He has a number of questions on the way that
section works. The issue was also brought up in an email former
Senator Guess sent to committee members. "That's an area that
I'd like to have quite a bit of discussion on," he said.
9:14:52 AM
REPRESENTATIVE COGHILL said that relates to Article 1 Breach of
Security Involving Personal Information. The state resident has
been notified of the breach so they're able to assess the risk
of harm. The intention was [for the covered person] to do an
initial disclosure or consult with the federal government. "I
would expect that that's…a two-tiered approach." There might be
no harm at all; it might be that a disc [containing personal
information] was temporarily misplaced. Or if there was a
breach, they [the covered person] would consult with the
relevant federal offices. In either case the covered person
would have to document what was done in that risk evaluation and
keep a record of that for five years. He believes that time
limit was a way of self protecting to making sure that if there
was harm done, that somebody would be able to go back. He
conceded that the "or" could be problematic if, in the more
egregious instances, only self evaluations were done. But, he
reminded the committee, these people have a reputation to
maintain and a clientele they're responsible to, so this may not
become a big problem. He deferred to committee discussion and
the industry regarding the practical application. He conceded
there is the legal question that if they only have to do one or
the other, they may always pick the easiest one..
9:16:53 AM
CHAIR FRENCH referred to page 2, line 21, and asked if "harm"
means that the information has fallen into the hands of an
identity thief.
REPRESENTATIVE COGHILL said he doesn't know.
CHAIR FRENCH said the converse question would ask what the
impact would be on the industry if it had to consult with a
state, federal or local agency responsible for law enforcement,
even if it meant nothing more than some sort of formal
communication.
9:17:50 AM
REPRESENTATIVE COGHILL deferred to Mr. Sniffen.
ED SNIFFEN, Senior Assistant Attorney General, Department of
Law, Anchorage, said he understands Senator Therriault's
concern. It does make some sense for the state to require a
business to self-police and to consult with the relevant agency
in determining whether or not disclosure is required. He doesn't
think this necessarily requires disclosure, but it requires the
business to inform the local authorities, document the incident
and the decision to not disclose and keep the record for five
years. If a problem comes up it would be addressed at that time.
That's appropriate, he said.
9:19:15 AM
SENATOR THERRIAULT observed that if that isn't done, the
language allows preservation of the status quo. If his company
misplaces a disc [containing personal information] for a couple
of days, he makes the determination about whether to tell
anybody, whether the loss has the potential of harming somebody,
and whether to go to consumer protection. As far as having a
reputation to protect, it can go either way. He would want to be
in contact with law enforcement to make sure the information
doesn't get out or he'd keep it quiet and hope that no one is
harmed. As far as being in touch with a law enforcement agency,
he questions the wording. He'd asked Mr. Sniffen if he has given
any thought to what the consultation might entail and the
potential liability it might bring to the Department of Law
(DOL).
9:21:36 AM
CHAIR FRENCH commented that DOL becomes the umpire of breaches
and the requirement to disclose.
MR. SNIFFEN responded that DOL has a lot of immunity and he
expects it would find a way to tell a business that it is
ultimately their call. He agreed to give it further thought.
CHAIR FRENCH asked if the same fear of being in error wouldn't
drive the covered person to make the disclosure. If a company
conducts an internal investigation and decides a breach is
unlikely and doesn't disclose, it appears that they're on the
hook for up to $50,000 if they guessed wrong.
9:23:00 AM
CHAIR FRENCH asked Mr. Sniffen his view of the total damages
under this section, for a breach of security that is not
disclosed.
MR. SNIFFEN said that if he were a business he would always
consult with the local law enforcement agency about a decision
not to disclose. If there was harm to a consumer, regardless of
whether there was disclosure or not, the exposure would be to
the company holding the data and it would be for the actual
economic harm to the consumer plus penalties up to $50,000. Just
because the state or law enforcement agency was consulted
doesn't necessarily mean it would be liable, the liability would
still be on the company that had the data that was disclosed.
CHAIR FRENCH clarified that the damages are actual economic harm
plus up to $50,000. Mr. Sniffen agreed.
9:25:16 AM
REPRESENTATIVE COGHILL said he believes that part of what
industry will want to discuss is the circumstance of a breach in
a database containing 50,000 names where it's known that three
names have been picked out and misused. Industry wants to notify
just those three rather than all 50,000.
9:26:14 AM
CHAIR FRENCH questioned why industry shouldn't report all
breaches. A parallel can be drawn with the oil industry that is
required to report all oil spills regardless of size. Reporting
a teaspoon of oil spilled into the harbor may seem a waste of
time and paper, but it makes the rules absolutely clear.
REPRESENTATIVE COGHILL said that in the breach category the
final responsibility is given to those who own the license, so
that may very well be the case.
SENATOR MCGUIRE asked the sponsor if he has looked at her radio
frequency identification (RFID) bill, and if it is his intent
that reporting requirements in HB 65 would include consumer
information that's contained in RFID databases.
9:28:04 AM
REPRESENTATIVE COGHILL replied he doesn't know for sure, but if
it deals with social security numbers or credit information then
he believes the answer is yes.
SENATOR MCGUIRE asked him to answer that definitively at the
next hearing so that it's clear within the construct of HB 65.
CHAIR FRENCH opened public testimony. In the interest of time
management, he asked the testifiers to zero in on areas of the
bill that need fixing.
9:28:30 AM
MURRAY JOHNSTON, Director, State & Government Affairs, Experian,
said he will focus on the social security number provision of HB
65. The text recognizes there are legitimate purposes for using
social security numbers under the Gramm-Leach-Bliley Act (GLBA)
and the Fair Credit Reporting Act (FCRA) to enable commerce and
public safety, but the bill also has a categorical and clear
prohibition on the collection and disclosure of social security
numbers. The exceptions need to be very clear to a judge in a
court when it's being enforced by a private right of action or a
class action lawsuit. If the exceptions aren't clear, Experian
will take steps to make sure it complies with the law. It won't
sell products that include social security numbers of Alaska
consumers. "When we have suggested language regarding social
security numbers, we need…the exceptions to be clear enough that
we are confident that the court would agree that we have a
legitimate use," he said.
9:31:36 AM
SENATOR MCGUIRE asked if Experian might stop offering product
lines in Alaska if the bill isn't changed and there is a
wholesale prohibition on the use of social security numbers in
this state.
MR. JOHNSTON said that removing social security numbers from
products that are used in Alaska would be a way his company
could comply. But removing those numbers might make the products
not useful for companies in Alaska. For example, Fanny Mae and
Freddie Mac treat credit reports that don't have a social
security number attached differently and it would take weeks to
get a loan approved instead of hours. Banks also have strict
requirements for the products they receipt and authentification
products use social security numbers to make sure you have the
right person. Without the social security number, those products
aren't very useful.
9:33:21 AM
CHAIR FRENCH asked which exception language threatens Experian's
ability to put a social security number on a credit report.
MR. JOHNSTON directed attention to page 18, lines 13-15, and
said that the exception "for a purpose authorized by the Gramm-
Leach-Bliley Act" is workable, but "to a person regulated by
Gramm-Leach-Bliley" is an additional and confusing condition
because under Title 5 of that Act, there are explicit
permissible uses for non-public personal information. For
Experian that would include social security numbers. The Gramm-
Leach-Bliley Act also has a definition of financial
institutions, and those requirements under Title 5 of GLBA apply
to any use of that information. When giving GLBA regulated
information to someone, the protections stay with the
information. But not everyone would consider themselves to be a
financial institution so that addition requirement that they be
regulated by GLBA in addition to a person regulated by GLBA is
too restrictive.
9:35:35 AM
CHAIR FRENCH asked if Experian is regulated by the Gramm-Leach-
Bliley Act.
MR. JOHNSTON replied his company is, but his customers are not.
CHAIR FRENCH asked if a customer of his might be a mortgage
company.
MR. JOHNSTON replied it could also be a landlord, an employer,
or a retailer that is trying to do commerce.
CHAIR FRENCH asked if his concern is that by releasing the
information to Ford Motor Company credit department, for
example, that Experian is crossing the line into an area that
isn't regulated by that Act.
9:36:35 AM
MR. JOHNSTON clarified that it will always be under the Gramm-
Leach-Bliley Act regardless of whether the entity itself is
regulated by GLBA. When Experian releases GLBA information to an
entity, part of the contract is that the information will
continue to be used for the same purposes for which it was
received.
CHAIR FRENCH questioned how Experian or a similar company would
get in trouble for releasing his social security number in the
ordinary course of doing business.
MR. JOHNSTON explained that it's because the people he
previously described are not a financial institution under GLBA.
Therefore, the exception which seems to indicate that Experian
has legitimate uses under GLBA are permissible, but often it
can't be used. Whether someone is a financial institution under
GLBA is a separate question.
9:38:01 AM
CHAIR FRENCH questioned Experian's concern with the language in
the bill; Experian is regulated by GLBA, and releasing a social
security number in conjunction with a credit report is a purpose
authorized by GLBA.
MR. JOHNSTON said we know the purpose of GLBA, but the question
is what is regulated by GLBA. On the one hand they would be
regulated under the requirements of the contract to continue to
honor GLBA. But the entity may not be a financial institution.
That's why Experian asked that the language be clear so that it
can continue to do business in Alaska.
9:39:06 AM
SENATOR MCGUIRE recapped that in GLBA, there are purposes that
are authorized and there is some consideration about how the
information is transferred between those regulated as financial
institutions and what the authorized uses are. Experian is a
regulated entity that is now releasing information for an
authorized purpose. She asked what purpose isn't under GLBA that
Experian wants to engage in here in Alaska.
MR. JOHNSTON replied all of Experian's uses are regulated under
GLBA or FCRA.
SENATOR MCGUIRE said she doesn't see the problem.
MR. JOHNSTON said the issue is that a lot of his customers are
not financial institutions as defined by GLBA.
9:40:35 AM
SENATOR MCGUIRE referred to the phrase "for a purpose
authorized" and assumed that Experian is a financial institution
under GLBA. A purpose you're authorized to engage in is to
provide credit reports to entities that may not be regulated by
GLBA. "I don't know what those purposes are but I would assume
they're broad purposes that you're authorized to engage in," she
said.
MR. JOHNSTON said that for Experian the permitted purposes under
GLBA are typically related to credit reporting, authentication,
and detection and prevention of fraud.
SENATOR MCGUIRE asked him to send an example of a purpose that
he'd like to be included that is relevant to the Alaska consumer
because subsection (3) has to be read as a whole. You're a
financial institution that's regulated by GLBA and as long as
you're using it for authorized purposes, I don't see the rub,
she said.
9:43:02 AM
MR. JOHNSTON said the rub is that the customers of Experian are
not regulated by GLBA. "Our products are under GLBA or FCRA.
That being the case, then the issue comes that when we sell a
product to someone that includes a social [security number], for
a purpose under GLBA, they may not be a financial institution
and that's why this additional requirement-that they be a
financial institution or that they have to be regulated by GLBA-
is too restrictive."
CHAIR FRENCH asked Ms. Hillebrand to comment.
GAIL HILLEBRAND, Attorney at Law, West Coast Office, Consumers
Union (CU), said CU has been working on these statutes across
the country for three years and in her view the issue of the
sale of a background or credit report that includes a social
security number is a red herring. Page 19, lines 5-8, is an
exception to the do not sell section, and it very clearly says
that if the social security number is being included as part of
the credit report, then it is not a sale. This bill is trying to
restrict the sale of social security numbers for revenue, it
isn't trying to restrict its use as part of a credit report.
9:45:36 AM
CHAIR FRENCH clarified that she's referring to the section that
deals with the sale, lease, loan, trade or rental of social
security numbers. That's essentially Experian's business; it
reports on someone's credit to lenders.
MS. HILLEBRAND agreed adding that the exception says that that
conduct is not the sale of a social security number. There's a
matching exception in the disclosure section that says it's not
a disclosure.
CHAIR FRENCH asked why it's not necessary to have the same
exception in Sec. 45.48.410 - Request and Collection.
MS. HILLEBRAND explained that the language can't be the same
because the person who collects the information isn't issuing
the report. There is an exception in the collections section for
a purpose authorized by the Fair Credit Reporting Act on page
18, lines 16-17. That applies to people who are collecting the
social security number for the purpose of ordering a credit
report.
CHAIR FRENCH said they've collected the information, but it
hasn't been transferred.
MS. HILLEBRAND agreed; Sec. 45.48.410 relates to collections and
there are parallel exceptions under disclosures. Under Section
.410 on page 18, lines 18-21, the information may be collected
for a background check and certain other purposes. The parallel
exception in Section .420 says it is not a sale when Experian
reports it, and the parallel exception on page 20, lines 5-8,
says it's not a prohibited disclosure when it's part of that
report. "So in each section there is an exception so that they
can be used for these kinds of reports."
9:47:39 AM
SENATOR WIELECHOWSKI referred to page 19, lines 18-20, and asked
if there's a penalty associated with the disclosure of social
security numbers.
MS. HILLEBRAND directed attention to Sec. 45.48.480 - Penalties
on page 21, line 22. There's a civil penalty of $3,000 for a
knowing violation plus actual economic damages.
9:48:38 AM
CHAIR FRENCH expressed satisfaction on that point. He asked if
she had general comments on the bill.
MS. HILLEBRAND said CU supports the bill; it strikes a fair and
workable balance. The complexity of the exceptions indicates
they've been well thought through. We urge you to resist further
changes, particularly further exceptions related to social
security numbers, she said. Although there have been requests
for conformity in the exceptions in the three aforementioned
sections, the policy issues are different. We also believe it
would not be appropriate to have a more general exception
referencing to federal law with respect to people that the
federal law doesn't regulate. Under the current drafting the
bill avoids that error, she said.
9:49:46 AM
SENATOR THERRIAULT referred to Sec. 45.48.410 - Request and
Collection on pages 18-19, and observed that the exceptions in
paragraph (5) exempt nearly everyone but the next door neighbor.
He asked if this is similar to most other jurisdictions.
MS. HILLEBRAND said that other states haven't looked at this
comprehensively so Alaska will be ahead of the rest of the
country almost no matter what it does in the area of
restrictions on request and collection, disclosures, and sale of
social security numbers. Only four states have begun to move on
the area of request and collection and Alaska will be the first
state to move into the area of sale.
9:51:27 AM
CHAIR FRENCH asked if she's saying that if Alaska prevents
anyone from asking for his social security number it would be
ahead of the rest of the world in having adopted that idea.
MS. HILLEBRAND said yes, but you don't necessarily want to stop
there. These exceptions are a fair balance but could be a little
narrower, she said. Certain ones such as employment and tax
related purposes, which are under governmental, are absolutely
essential. She believes that the others respond to business
concerns that were presented to the sponsor. "I would defer to
him on those," she said.
SENATOR THERRIAULT said that as an example there is an
individual's employment or including employment benefits but on
page 18, line 2, it says "if the person is expressly authorized
by local, state, or federal law" and he thinks that would
already be covered by "or federal law." If I'm employing
somebody I have to get their social security number, so it seems
to be covered up above, he said. He asked if it opens a bigger
loophole by restating it in paragraph (5).
MS. HILLEBRAND said the analysis is correct, but sometimes
particular industries will use this when it wants something more
specific in the statute.
9:53:00 AM
AUDREY ROBINSON, Manager, State Government Affair, Reed
Elsevier, parent company for LexisNexis, said that LexisNexis is
a provider of public records information that is used in
detecting and preventing identity theft and fraud, locating
suspects, and investigating criminal and terrorist activities.
LexisNexis supports the concept of HB 65, but not the current
draft. The social security number provisions in Article 3 are
particularly troublesome. Without appropriate exemptions for
legitimate business uses, services that LexisNexis provides will
be greatly diminished or stop altogether. Those include
contracting with employers to do background screening, assisting
financial institutions in verifying that customers are not on
the known terror watch lists in compliance with the Patriot Act,
and providing public records information on liens and judgments
to credit bureaus for use on credit reports. Many Alaskans rely
on the services that LexisNexis provides for quick information
for consideration on employment, bank accounts, and credit, all
of which will be diminished if HB 65 passes in its current form.
MS. ROBINSON highlighted LexisNexis as a concrete example of the
issue that Mr. Johnston from Experian spoke to; it is not a
person regulated by GLBA. The uses for their information are
regulated, so the FTC has jurisdiction for prosecutorial action
in the event of misuse. That's the focus point; the goal is to
avoid misuse and provide serious repercussions if there is
misuse. That doesn't change. Under the current language the
purposes for which LexisNexis would use the information don't
matter because they aren't regulated by GLBA. But a bank that is
trying to comply with the Patriot Act is affected. It is
regulated by GLBA and its purposes are authorized by GLBA. When
opening an account for a new customer, the Patriot Act requires
the bank to verify that the person in not on the known terrorist
watch list. The bank doesn't maintain that information,
LexisNexis does. The bank contracts with LexisNexis to run the
verification. The bank can collect the information from the
customer, but would not be able to give the information to
LexisNexis for verification and LexisNexis would not be able to
return the information to the bank under the current draft.
9:57:36 AM
CHAIR FRENCH referred to the language on page 18, line 2, and
asked why some federal contract wouldn't make LexisNexis the
designated person to keep track of who is on the terrorist watch
list.
MS. ROBINSON said no. She described the phrase "expressly
authorized" as problematic because there isn't a federal law
that expressly authorizes anything regarding social security
numbers. FCRA and GLBA are negative statutes that disallow use
of the information except for certain limited circumstances.
9:58:44 AM
CHAIR FRENCH questioned why subsection (b)(2)(B) on page 2,
wouldn't provide LexisNexis the needed leeway to do its
business.
MS. ROBINSON said their attorneys don't feel that language is
appropriate because LexisNexis isn't acting as a law enforcement
agency; it's providing information to a bank. "We're not
Homeland Security officers; we're public records aggregators."
The transaction she described would be prohibited under this
draft because LexisNexis isn't regulated by GLBA.
SENATOR THERRIAULT asked about paragraph (5) that says "if the
request or collection is for a background check on the
individual…".
9:59:50 AM
MS. ROBINSON explained that the employer collects the
information but LexisNexis runs the background checks. Under the
current draft employers could not give the social security
number information they collected to LexisNexis to run a
background check.
SENATOR THERRIAULT pointed out that it doesn't say that it has
to be an employer that's requesting the information; it's just
being requested by somebody for a background check. That
somebody could be LexisNexis.
MS. ROBINSON said we don't have interactions with consumers and
aren't requesting social security numbers; we're engaging in a
transaction with another business.
CHAIR FRENCH said his analysis is that if you haven't requested
the social security number then you could never get in trouble
for having requested it. He suggested looking at Section .420 -
sale, lease, loan, trade, or rental because that's what they do.
MS. ROBINSON said that's right, and the background check
language isn't found in that section.
10:01:39 AM
CHAIR FRENCH asked her to supply language that would allow
LexisNexis to do its business.
MS. ROBINSON said she believes the committee does have several
amendments. Some are as simple as inserting an "or" in a
sentence and changing the phrase "expressly authorized" to
better reflect what the statute says. She reiterated that
they're negative statutes so there are no express
authorizations; there are permitted uses.
10:02:36 AM
REPRESENTATIVE COGHILL said he's willing to remove the word
"expressly" from page 18, line 2, but not the word "authorized".
CHAIR FRENCH said unless you think their problem is created by
the collection of social security numbers, we should be working
on the next section.
REPRESENTATIVE COGHILL directed attention to the exceptions
under the FCRA on page 19, and said there's tension between the
authorized uses under GLBA and the allowed purposes under FCRA.
And, LexisNexis isn't regulated by GLBA. Inserting the word "or"
allows the "purpose" that the FCRA has and still allows the
"authorized" language under GLBA. He tried to address that
concern in paragraph (3) on page 19, but for those who are not
regulated by either FCRA or GBLA, if the authorized language is
removed for either collecting or distributing, there will be bad
actors over which there will be light regulation. "I have no
problem with these people being able to move in their commerce
and if they have a breach, they have to report it. But there are
people who don't have the regulation under these who can misuse
that social security number, and should be regulated by this
state law," he said.
10:05:10 AM
CHAIR FRENCH asked if LexisNexis is regulation by FCRA.
MS. ROBINSON said yes, but the issue is that some of its
customers may not be. FCRA is specifically for credit reporting
and consumer reporting bureaus, and LexisNexis is one. GLBA is
specifically for financial institutions, and LexisNexis is not
one. Customers include business and government, and government
isn't necessarily a financial institution, but LexisNexis wants
to be able to transact with them. The use of the information is
regulated even if LexisNexis or its customers are not. Because
the use is restricted and regulated, there is enforcement action
in cases of misuse. That's the key issue. But as currently
written LexisNexis can't transact business with people who
aren't regulated by that statute.
CHAIR FRENCH asked if inserting an "or" on page 19, line 3,
would solve the problem.
10:06:46 AM
MS. ROBINSON said if it were in both the GLBA and the FCRA
exceptions, and in Sections .410, .420, and .430.
CHAIR FRENCH pointed out that Section .410 prohibits collection
of social security numbers from an individual. If you don't do
that, it doesn't affect your business, he said.
MS. ROBINSON agreed.
10:07:46 AM
CHAIR FRENCH clarified that she is saying that inserting "or" in
both the GLBA and the FCRA exceptions would fix the problem.
MS. ROBINSON said it comes close to fixing our problem.
Turning to earlier testimony, she relayed that a number of
states talk about financial theft or fraud rather than using the
term "harm." She further explained that "or" is used on page 2,
line 19, because sometimes it's appropriate not to have an
investigation by law enforcement. For example, a billing
irregularity that is flagged doesn't necessarily require law
enforcement action if it's just a matter of reexamining the
records. As the sponsor pointed out, most businesses will act in
an appropriate manner given reputational harm and the financial
consequences associated with non disclosure.
10:10:11 AM
SENATOR THERRIAULT highlighted that the word "investigation" is
before the "or" so it's action the company does. Then it
consults with the law enforcement agency to make sure that the
work that was done and the finding is appropriate.
MS. ROBINSON responded that in certain cases consulting with the
relevant law enforcement agency would delay the notification.
SENATOR THERRIAULT pointed out that subsection (c) doesn't say
you shall not disclose. It says disclosure is not required if
certain conditions are met. If you know there's been a breach
and you decide to send out notices, you can do that regardless
of what's in subsection (c).
10:11:59 AM
MS. ROBINSON questioned the necessity of consulting in that
circumstance. If you've sent out a relevant disclosure, it makes
the consultation mute, she said.
CHAIR FRENCH said you may not immediately know there's been a
breach. In the time it takes to learn, should you be making a
disclosure? He posed the example of unusual activity on his
credit card.
MS. ROBINSON said that if you've made the appropriate
investigation, disclosure may or may not be necessary, but she
doesn't believe it should be required in all cases.
SENATOR THERRIAULT pointed out that unusual activity on your
credit card is not a breach. A breach is when data is leaked.
10:14:03 AM
JON BURTON, Vice President, State Government Relations,
ChoicePoint Inc., said his is a data and information company
that services the financial industry. It don't offer the loans,
products and financial tool that consumers use; it helps those
who do facilitate the transactions.
The problems ChoicePoint has with the bill have been articulated
in the previous committee. They relate to Sections .410, .420,
and .430 and the exemption terminology of expressly authorized
by local, state, or federal law and the GBLA and FCRA
exemptions. While these exemptions recognize that commerce
occurs every day, as drafted they don't work. They create
problems for our company, which will create problems for our
customers, who will in turn create problems for Alaska
consumers.
All functions under the FCRA and the GLBA that allows for the
permissible use of such data will either come to a halt or it
will be severely restricted. Transactions that occur on the
spot, such as on the spot credit for buying a car on the lot,
and getting an insurance quote will either stop or will take
days and weeks rather than minutes to complete. He urged the
committee to adopt the suggested fixes that have been submitted.
10:16:38 AM
SENATOR WIELECHOWSKI asked if any other states have provisions
similar to Sections .410, .420, or .430.
MR. BURTON replied absolutely not.
CHAIR FRENCH asked if ChoicePoint collects social security
numbers.
MR. BURTON said no, but our customers do. Looking at the
exemptions in Section .410, he said if our customers are trying
to facilitate these transactions with us, my customers are not
regulated by the FCRA. I am regulated by the FCRA and my
purposes for facilitating this transaction is regulated by the
FCRA. But my customers are not necessarily regulated by the FCRA
so they would be unable to ask for a social security number to
facilitate the transaction under the FCRA. The same thought
process applies under the GLBA, and same applies under the
expressly authorized language, as was articulated by Ms.
Robinson from LexisNexis. To his knowledge there is no local
state or federal statute that specifically expressly authorizes
the use of a social security number. What these statutes do is
they speak to non-public personal information or personal
information. Social security numbers are included in that kind
of umbrella term.
10:18:36 AM
SENATOR WIELECHOWSKI asked for what purpose his customers ask
for a social security number.
MR. BURTON explained that social security numbers are the most
accurate method for ChoicePoint to insure that it is providing
the right data about the right person to the right person.
SENATOR WIELECHOWSKI ask who the customers are and why they need
social security numbers.
MR. BURTON said it could be a person who wants to get an
insurance quote. Suppose your name is John Burton and the
insurance agent sends that name through our system. We may
return data on thousands of people, one or none of which may
actually be you.
10:19:43 AM
SENATOR MCGUIRE asked about the possibility of using a driver's
license number to avoid that confusion.
MR. BURTON said to his knowledge driver's license information
isn't collected at the point of quote by an insurance agent.
That is a unique data element that's regulated by the federal
Driver's Privacy Protection Act and can have more restrictive
purposes than the general purpose of facilitating a transaction
to verify the identify a particular person by name, address and
social security number.
10:21:18 AM
CHAIR FRENCH asked if insurance companies are covered by the
FCRA.
MR. BURTON said no.
SENATOR WIELECHOWSKI asked why that wouldn't fall under page 18,
lines 22-24, if the purpose is to verify the identity of an
individual.
MR. BURTON replied he can't speak to whether that would apply to
an insurance company or any other financial institution. His
point is that ChoicePoint relies on the social security number
to facilitate providing and transferring data to facilitate some
of these transactions.
CHAIR FRENCH asked if most of his concerns would be satisfied if
the word "or" were added in four places to the GLBA and FCRA
exceptions in Sections .420 and .430.
10:22:43 AM
MR. BURTON said it would address his operating concerns, but it
would not address his customers' concerns in Section .410. And
that doesn't address the issue with the "expressly authorized"
phrase in all three sections.
CHAIR FRENCH pointed out that "expressly authorized" is just one
exception and that's sufficient.
MR. BURTON responded that while he does conduct business
pursuant to GLBA and FCRA, he also does business under the
Driver's Privacy Protection Act, the U.S. Patriot Act, and the
state equivalents. Then there's the legal consideration of
whether a line item exemption trumps a general exemption. If he
has prohibitions under one and allowances under another, he
questioned which one controls.
10:24:09 AM
CHAIR FRENCH said you don't need all the exceptions, you need
just one. His vies is that no judge is going to allow you to get
sued under a statute that exempts you from its coverage.
SENATOR MCGUIRE asked if he sees value in the legislation.
MR. BURTON replied without question he supports the policy of
the bill, but as drafted it's fundamentally flawed.
10:25:36 AM
SENATOR WIELECHOWSKI said he's willing to help business and
industry, but he isn't following the problem. In the instance of
an insurance quote, the insurance company calls to verify the
identity of the individual. Again, he questioned why that
doesn't fall under page 18, lines 22-24.
CHAIR FRENCH said he believes that ChoicePoint's concern is on
page 19, lines 5-8. If the transfer of the information is:
(4) part of a report prepared by a consumer credit
reporting agency in response to a request by a person
and the person submits the social security number as
part of the request to the consumer credit reporting
agency for the preparation of the report.
MR. BURTON said that is one permissible purpose as articulated
under the FCRA, but that line doesn't encompass all permissible
purposes, which is why it's critical to draft the FCRA exemption
properly.
CHAIR FRENCH asked if it's acceptable as long as the transfer of
that social security number is for a purpose authorized by the
FCRA.
MR. BURTON replied that does help.
10:27:20 AM
SENATOR MCGUIRE asked if insurance companies in Alaska are
following state law that prohibits the use of credit information
as opposed to driving records to make rate quotes.
MR. BURTON replied that to his knowledge insurance companies are
comporting themselves in accordance with state statutes.
KENTON BRINE, Northwest Regional Manager, Property Casualty
Insurers Association of America (PCI), said that this trade
association represents companies that underwrite about 50
percent of the home, auto, and commercial insurance that's
written in the country. Member companies include Allstate,
GEICO, Progressive, Liberty, American Family and several others
that write business in Alaska.
MR. BRINE echoed the comments made by Mr. Burton. Many of our
members are ChoicePoint customers and if they aren't able to
provide the product and services to our companies, then our
companies won't be able to provide cost-effective service to our
consumers who are the policyholders of Alaska.
Responding to the question that Senator McGuire raised
previously, he explained that Alaska statute allows insurers to
consider a consumer's credit history for purposes of rating, but
not for purposes of underwriting. Under the insurance code that
criteria can be used for a period of two years on new business.
After that time the customer is rated without using their credit
information. With that in mind, he is seeking a change in
language in Sec. 45.48.100 to define a credit report as a
consumer report used for the purpose of determining loan
eligibility during a security freeze. Currently 41 states have
approved security freeze language similar to what is
contemplated in Alaska, and 34 of those have an allowance for
insurers to access credit files that the consumer has frozen. We
aren't accessing the information to determine eligibility for a
loan, he said, and identity theft isn't a crime that's typically
engaged in by a person seeking a better insurance rate.
Generally people steal someone's identity to get money.
10:32:11 AM
MR. BRICE noted that a number of companies now provide access to
rate quotes online so consumers can compare rates. The idea is
that if the credit report is narrowly defined, for purposes of a
freeze, and limited to lending only, then a person can do
hassle-free shopping without worrying about identity theft and
possible harm to their credit rating. He has provided specific
language to amend Sec. 45.48.100 and Sec. 45.48.290.
CHAIR FRENCH relayed that he received the suggested language. He
asked the sponsor if he or his staff had reviewed PCI's
suggestions.
10:33:25 AM
Karen Lidster, Staff to Representative John Coghill, said we've
looked at the request and feel that it opens too many loopholes,
particularly in a freeze. She suggested the following language:
"Any person or entity for use in setting or adjusting a rate,
adjusting a claim or underwriting for insurance purposes." In
response to the Chair, she said it pertains to Sec. 45.48.210 -
Exemptions, on page 15.
MR. BRICE said he believes that language would work equally
well.
10:35:40 AM
REPRESENTATIVE COGHILL said that is a broad exemption and up to
now he's maintained that the individual should be in control of
their consumer credit information. This removes some of that
control. What will happen is that the insurers will be able to
manipulate credit information for purposes of their business.
From his perspective, the policy call is whether the consumer's
credit is really frozen, or will the consumer need to be told in
the express authorization that their credit is only frozen for
the purposes of a loan, not for their credit information
specifically.
10:37:20 AM
CHAIR FRENCH posed a hypothetical situation where he lost his
wallet, made a decision to freeze his credit, and then made a
decision to get a new quote for auto insurance. He asked if he
could authorize a specific insurance company to access his
credit information for the purpose of that one quote.
REPRESENTATIVE COGHILL directed attention to the five exceptions
on page 9, under subsection (g). The insurer could: 1) treat the
application as incomplete, 2) decline the application, 3) treat
the consumer as though they had a neutral credit rating, 4)
exclude the use of credit information as a factor, or 5) treat
the consumer in a manner that is otherwise approved by the
division of insurance. Once a consumer freezes their credit,
they become accountable for their creditworthiness. Once they've
claimed the responsibility of locking down their credit, outside
of lifting the credit freeze, they have to realize that there's
a significant impact.
10:39:10 AM
CHAIR FRENCH observed that the upside is that all your credit is
frozen, and the downside is that you may find your ability to
operate in the financial world is curtailed.
REPRESENTATIVE COGHILL said he's always held that once an
individual freezes their credit, they have the expectation that
it is frozen. If this exception is opened, it says that a
consumer's credit is only frozen for certain purposes. So
insurers will be able to access that information to score the
consumer's creditworthiness, not necessarily to deliver their
insurance.
CHAIR FRENCH asked Mr. Brine why the consumer shouldn't be the
one to make the choice.
MR. BRINE said this is mostly about the degree that the consumer
faces expected or unexpected hassle. With 41 states that have
security breach laws in place, the percentage of consumers using
freezes is fairly small. In the 33 states where insurers are
allowed access to frozen files, he's not aware of any complaints
from consumers. The goal is to find a balance between protecting
the consumer and allowing commerce to go forward. He understands
the point of giving the consumer control and responsibility, but
he believes that this is a relatively harmless change to make in
terms of the risk involved.
10:42:05 AM
JENNIFER FLYNN, Director, Government Affairs, Consumer Data
Industry Association (CDIA) said that CDIA represents consumer
reporting agencies including LexisNexis and ChoicePoint; Ms.
Robinson and Mr. Burton outlined the issues very clearly. CDIA
has been working with the sponsor and others for about 18 months
to make positive changes to the bill. She supports the policy
and the intent, but she opposes the technical drafting. Contrary
to what some have claimed, industry doesn't want a weaker bill.
It wants a bill that it can comply with and that provides
protection to Alaska consumers as well as the services they have
come to rely on.
MS. FLYNN said that as an industry CDIA knows that the social
security number is important and private, and it takes great
pains to keep that information secure; it's only used for
specific purposes allowed for under FCRA and GLBA. Their
attorneys have said that Article 3 will create serious
repercussions for the current products and services that CDIA
provides. It's helpful that legislators say that credit
reporting agencies should be able to comply, but if our
companies say they can't comply with the language then they
won't be able to continue to do credit reports and consumer
reports the way they're currently done, she said. That might
mean that certain services and products will be stopped or that
it'll take weeks to verify identities instead of hours. No other
state has this type of requirement drafted this way so we really
don't know, she said.
MS. FLYNN suggested that the addition of the word "or" in
Sections .410, .420, and .430 would go a long way to alleviating
her concerns. The amendments that CDIA submitted regarding
"expressly authorized" and that the FCRA and GLBA requirements
are not arbitrary are necessary. Regardless of any other
interpretation, that's the way our companies interpret this, she
said.
10:46:27 AM
MARIE DARLIN, Coordinator, AARP-Alaska, said she submitted a
letter that contains some statistical information. AARP-Alaska
supports the bill as one of the most comprehensive in the
nation. The legislature should protect citizens from the
unauthorized dissemination of information, she said. Hopefully
the problems will be resolved and this will become law this
session.
SENATOR THERRIAULT commented that AARP wants to tell members
they have the opportunity to avail themselves of the law and get
protection and the legislature wants to make sure that the
protection is real.
10:49:26 AM
SENATOR THERRIAULT asked if Ed Sniffen or Gail Hillebrand could
comment or provide cautions on the suggestions.
MS. HILLEBRAND said the conundrum is that the people that are
testifying are restricted in various ways by federal law, but
the proposed "or" language would open sections to the bill for
people whose product is not regulated by federal law. The "ors"
that have been proposed would have the result of saying that
these persons are regulated by the FCRA, but that isn't designed
to be a social security number statute. Every business that
reports to a credit reporting agency in the U.S. is a person
regulated by the FCRA with respect to that conduct. So if
there's a general "or" after "a person regulated by the FCRA"
you're saying just about every decent size retailer would be
exempt from things like whether they can sell your social
security number.
Likewise, if you say every purpose under the FCRA without tying
it to a person regulated by FCRA, you include the general casual
person that otherwise has a legitimate business need for the
information in connection with the business transaction
initiated by the consumer. That would be very broad so it's a
policy question not simply a technical drafting question.
With GLBA, it does regulate financial institutions at least as
they're defined broadly. But the exceptions in GLBA include an
exception for consent or direction of the consumer. CU is deeply
concerned that adding an "or" in the GLBA section would
essentially say that anytime the paperwork says it's okay, the
protections of the Alaska law would go away. That would be an
unfortunate result, she said.
MS. HILLEBRAND suggested that in the states where the term
"harm" has been defined under notice of breach, the definition
has done more harm than good because things other than identity
theft can be a form of harm from a breach. Domestic abuse
situations and stalking are examples where a small bit of a
person's information is looked at, but there may be potential
for physical violence. Also, there are non financial harms from
identity theft that a definition might overlook.
10:52:35 AM
SENATOR WIELECHOWSKI asked if she has any suggestions about the
concerns ChoicePoint voiced about its ability to provide
verification information on insurance quote requests relative to
Sections .410, .420, and .430.
MS. HILLEBRAND said that CU will continue to work with the
sponsor and the industry, but just saying the purpose or the
person is too broad.
10:54:29 AM
MR. SNIFFEN agreed with Ms. Hillebrand about potentially opening
up the exemption. Federal law is very broad and allows a lot of
social security number uses that this bill wants to restrict.
The purpose for this bill is to curtail conduct that exists in
the marketplace to protect consumers from identify theft.
With respect to the concern about the "expressly authorized"
language, he suggested changing it to say that the information
is allowed by state or federal law. Then none of it matters
because the GLBA, the FCRA, the Driver's Privacy Protection Act,
and the U.S. Patriot Act would all allow the uses that industry
wants. He doesn't read "expressly authorized" as narrowly as
they do. His view is that if you are expressly authorized by
federal law to do something with a social security number, then
you can do that. If GLBA or FCRA says you can use someone's
social security number when issuing a report, that suggests it
is expressly authorized. There may be legal quibbling over
whether that's express authorization as opposed to permitted
use, but he hasn't seen case law that interprets it that way. He
understands how the attorneys for ChoicePoint and LexisNexis are
looking at it, but the intent of those statutes is clear that
the people who are regulated by those Acts be allowed to use the
information. The sponsor has suggested that removing just the
word "expressly" may fix the problem. "We are willing to work
with the sponsors and the industry and others…to try and find a
way to fix this."
10:57:38 AM
MR. SNIFFEN disagreed with Ms. Robinson's assessment of the
issue on page 2 about self policing or consulting with federal,
state, or local law enforcement agencies. In his view if you
feel that a disclosure is necessary, then you disclose and
there's no consultation required. Changing the language to "and"
still would require you to consult with local officials if
disclosure was necessary. The only time you'd need to consult,
if Senator Therriault's suggestions are adopted, is if you
thought about not disclosing. The requirement to disclose would
always be there and you'd have to do it if there was a breach.
Consultation would only be necessary in the instance where you
thought disclosure would not be required.
SENATOR THERRIAULT observed that many of the terms used in
subsection (c), on page 2, would need to be defined. He asked if
the words: appropriate investigation, consultation, and
reasonable likelihood should be fleshed out in regulation or in
the definition section.
MR. SNIFFEN agreed with Ms. Hillebrand that trying to define
things too much creates problems. The intent is clear and the
language is probably okay as is, he said.
SENATOR THERRIAULT questioned whether subsection (c) should
include some statement of time.
11:00:42 AM
MR. SNIFFEN replied DOL would interpret this to mean a
reasonable time under all circumstances because time is of the
essence when there's been a breach. If a business didn't act
quickly and there was potential for harm, that would expose them
to penalties and liabilities. It might not be a bad idea to set
a timeframe, but he isn't sure what it would be.
REPRESENTATIVE COGHILL noted that in subsection (b) it says "in
the most expeditious time possible" and questioned if that would
also apply to subsection (c).
11:01:48 AM
MR. SNIFFEN said those are separate sections and it might not be
a bad idea to put it in subsection (c).
REPRESENTATIVE COGHILL supported including some expeditious
language, perhaps by noticing subsection (b) in subsection (c).
SENATOR THERRIAULT said that or a restatement, whichever the
drafter suggests is appropriate.
CHAIR FRENCH saw no harm in having an expeditious investigation.
SENATOR THERRIAULT referred to the phrase "consultation with
relevant federal, state, or local agencies" and questioned
whether that provides sufficient direction.
CHAIR FRENCH said the word "relevant" seems adequate.
11:02:54 AM
MR. SNIFFEN said it would depend on the circumstance of the
breach. If it was a breach that was limited to Alaska, it would
probably be someone at the state, local or municipal level, but
he doesn't know if the Municipality of Anchorage has a consumer
protection function so it would fall to DOL. If it was a
national breach that happened to include information on Alaska
residents, then the consultation might be with federal officials
in charge of bad acts on a national level or the official where
the breach occurred. The term "relevant" gives the flexibility
for a company to decide who is the most appropriate law
enforcement official to go to.
11:04:04 AM
REPRESENTATIVE COGHILL emphasized that this is important
legislation for Alaska. The tension between allowing consumers
to protect themselves while allowing companies to work with this
information and do commerce can be clearly seen in the section
on social security numbers. This is relevant to industry and it
should be to Alaska consumers because their identity really does
travel in a little number. He offered to continue working with
the industry and the committee to solve any problem areas.
CHAIR FRENCH held HB 65 in committee.
| Document Name | Date/Time | Subjects |
|---|