Legislature(2005 - 2006)BUTROVICH 205

02/27/2006 08:30 AM JUDICIARY

Download Mp3. <- Right click and save file as

* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
Scheduled But Not Heard
Heard & Held
Heard & Held
+ Bills Previously Heard/Scheduled TELECONFERENCED
           SB 222-PROTECTION OF PERSONAL INFORMATION                                                                        
8:46:03 AM                                                                                                                  
CHAIR RALPH SEEKINS announced SB 222 to be up for consideration.                                                                
GAIL VOITLANDER,  Chief Assistant Attorney General,  Department of                                                              
Law (DOL), introduced  herself and advised the  committee that she                                                              
was pinch  hitting for Assistant  Attorney General Ed  Sniffen who                                                              
was involved  with the bill and  far more knowledgeable  about the                                                              
consumer implications.  She limited her testimony to  how the bill                                                              
would affect the state and its employees.                                                                                       
Personal  information is  a primary  tool in  state government  to                                                              
use to ensure  that, when it  takes action about someone,  such as                                                              
collections  activities and  criminal prosecution,  they have  the                                                              
correct  person that  they are acting  upon.  For this reason  the                                                              
state tends to  have multiple identifiers to ensure  they have the                                                              
correct state action.                                                                                                           
8:48:44 AM                                                                                                                    
There is  no utility in  making states liable  so long as  they do                                                              
have a  legal obligation  to comply  with the  law. The  DOL would                                                              
recommend in  terms of  liability that the  bill would  impose for                                                              
claims against the  state to insert a subsection (d)  on page 3 to                                                              
say, an  action may not be  brought against a  governmental entity                                                              
or  its  employees. The  state  is  such  a target  for  frivolous                                                              
lawsuits that the DOL believes this to be necessary.                                                                            
8:51:23 AM                                                                                                                    
CHAIR SEEKINS  asked Ms.  Voitlander whether  she was  saying that                                                              
the  state  never  reveals collected  information  and  that  they                                                              
never supply or sell it to outside entities.                                                                                    
MS.  VOITLANDER   clarified  state   procedures  require   certain                                                              
information  be used. For  example, the  Criminal Division  of the                                                              
DOL discloses social  security information regularly  to the court                                                              
in connection  with criminal prosecution.  The Human  Services and                                                              
Collections  section  of the  DOL  collect and  disclose  personal                                                              
information to pursue  collections of judgment. The  Department of                                                              
Motor Vehicles (DMV)  obtains and uses social security  numbers in                                                              
many contexts. The  Alaska Commission on Post  Secondary Education                                                              
collects  personal  information  and  passes it  along  to  credit                                                              
agencies when a borrower defaults on loans.                                                                                     
To say  that the state  sells the  information would  suggest that                                                              
there is  a profit motivation, but  it is not a  profit generating                                                              
8:54:48 AM                                                                                                                    
CHAIR  SEEKINS  suggested  it  was  not the  intent  of  the  bill                                                              
sponsors  to limit  the  internal  transfer of  identifiers  among                                                              
state agencies.                                                                                                                 
SENATOR GENE  THERRIAULT  responded that  language already  in the                                                              
bill would  cover much of  that concern,  such as if  the transfer                                                              
is  required by  state or  federal  law. He  suggested there  were                                                              
probably  many instances  where the  state needs  to tighten  down                                                              
its procedures and provide better consumer protection.                                                                          
CHAIR SEEKINS  asked whether it was  the intent of the  DOL to try                                                              
to shield  a state employee who  was acting outside of  the normal                                                              
course of their duties.                                                                                                         
MS. VOITLANDER  said the suggested language  doesn't differentiate                                                              
in terms  of motivation. If a  state employee were  acting wrongly                                                              
they would be the subject of disciplinary action.                                                                               
8:57:55 AM                                                                                                                    
MS. VOITLANDER suggested  that Mr. Sniffen should weigh  in on the                                                              
bill the next time it is heard.                                                                                                 
8:59:11 AM                                                                                                                    
SENATOR GRETCHEN GUESS  commented the impetus of the  bill was due                                                              
to the  population's desire  for privacy. She  said, "We  have the                                                              
situation where  the state has  most of the  data on us and  ... I                                                              
haven't  heard of  any situations  of  selling it  for profit  but                                                              
[the data]  has been disclosed  in Alaska."  It is not  the intent                                                              
to limit the  bill to the private  sector. Also the bill  does not                                                              
prohibit transfer  of the  social security  number within  a state                                                              
entity, but it does prohibit transfer to a third party.                                                                         
9:01:09 AM                                                                                                                    
CHAIR SEEKINS  speculated that  the penalty  for a state  employee                                                              
who   purposefully   discloses   private  information   would   be                                                              
9:02:17 AM                                                                                                                    
PAT LUBY, Advocacy  Director for AARP, testified in  support of SB                                                              
222.  Their only  concern is  the  preemption clause  on page  22.                                                              
"Alaska  should  be  assertive and  aggressive  in  defending  our                                                              
citizens," he said.                                                                                                             
9:05:40 AM                                                                                                                    
ELIZABETH MOCERI,  Regional Counsel for Allstate  Insurance, asked                                                              
for  the bill  sponsors  to  examine  the insurance  industry  and                                                              
perhaps create a  "carve-out" provision so that  they can continue                                                              
to use credit information for claims adjustment.                                                                                
9:07:25 AM                                                                                                                    
CHAIR  SEEKINS asked  Ms.  Moceri the  reason  the industry  would                                                              
need a carve-out provision.                                                                                                     
MS.  MOCERI  replied  when  a person  applies  in  for  automobile                                                              
insurance in  order to drive  that day and  they have a  freeze on                                                              
their  credit information  then  the  insurance company  would  be                                                              
unable to  provide them with a  rate. Also, people buying  a house                                                              
don't want  to wait for  several days to  get their  quote because                                                              
they need to close the deal.                                                                                                    
9:09:10 AM                                                                                                                    
SENATOR  GUESS asked  Ms.  Moceri  whether the  insurance  company                                                              
could offer an estimated rate until the credit is lifted.                                                                       
MS.  MOCERI countered  it would  not  be the  correct rate.  Under                                                              
Alaska  law a person  has a  right to  request a  review of  their                                                              
credit but  there would  be no  system in  place that would  allow                                                              
for a consumer to shop around for the best rate.                                                                                
9:12:06 AM                                                                                                                    
SENATOR  GUESS commented  when a  person chooses  to freeze  their                                                              
credit information  they have made  a personal choice  knowing the                                                              
SENATOR  THERRIAULT  noted the  consumer  would  be aware  that  a                                                              
voluntary  credit information  freeze would  make them  ineligible                                                              
for things  such as getting an instant  credit card. He  said if a                                                              
person  chooses  to freeze  their  credit  they  just have  to  be                                                              
mindful of the consequences.                                                                                                    
9:14:15 AM                                                                                                                    
CHAIR SEEKINS  asked Ms.  Moceri whether  she had any  information                                                              
on  the percentage  of  people  who  would actually  freeze  their                                                              
MS. MOCERI advised that it is only 5/100 of 1 percent.                                                                          
9:19:22 AM                                                                                                                    
KENTON  BRINE,   Insurance  Agent,  Property   Casualty  Insurance                                                              
Association  of America,  agreed  with the  concerns expressed  by                                                              
Ms.  Moceri  and said  insurance  companies  want to  continue  to                                                              
provide their  customers with the  best access to the  best rates.                                                              
He suggested the  committee consider redefining the  definition of                                                              
"credit reports" to  apply only to credit reports  that are sought                                                              
for the  purpose of determining  eligibility for the  extension of                                                              
9:21:26 AM                                                                                                                    
MR.  BRINE said  insurers  are different.  They  do access  credit                                                              
reports but  not for  the purpose of  determining whether  to loan                                                              
someone money. They  do not share information with  third parties.                                                              
The goal  is to provide access  to consumers but what  also should                                                              
be considered  is the large amounts  of systemic changes  that the                                                              
industry would have  to employ for such a small  amount of people,                                                              
referencing  the  5/100 of  1  percent  figure. He  suggested  the                                                              
committee  look  at  other  states  so  that  there  can  be  some                                                              
9:23:23 AM                                                                                                                    
SENATOR  GUESS  referred  to  the  trend  of  insurance  companies                                                              
consolidating  with other  financial companies  and asked  whether                                                              
information  was  being  shared   within  the  company  for  other                                                              
financial services.                                                                                                             
MR. BRINE said he believed it was eligible to be.                                                                               
CHAIR  SEEKINS asked  for an example  of the  process used  within                                                              
the property  casualty insurance  business  where they would  need                                                              
the credit information and how timeliness has an effect.                                                                        
MR. BRINE  replied when  a consumer shops  for insurance  it would                                                              
make  a difference  whether  they  receive  an accurate  rate.  He                                                              
estimated that  it would  be difficult for  the consumer  to place                                                              
or lift  a freeze on  their credit and  implied that it  might add                                                              
to the overall cost of insurance for everyone.                                                                                  
9:26:39 AM                                                                                                                    
CHAIR  SEEKINS asked  what questions  are asked  when people  shop                                                              
online for insurance.                                                                                                           
MR. BRINE said it was different from company to company.                                                                        
9:28:01 AM                                                                                                                    
MIKE TIBBLES,  Deputy Commissioner,  Department of  Administration                                                              
(DOA),  spoke  about  some initiatives  that  the  Department  has                                                              
taken  in  regards to  confidentiality  of  consumer  information.                                                              
Every employee must sign a confidentiality statement.                                                                           
9:29:31 AM                                                                                                                    
Last year the  Department requested $20 million dollars  for a new                                                              
payroll system,  which will  move employee  records from  a social                                                              
security  base  to  an  employee   identification  base.  The  bid                                                              
process  is  currently  active   and  he  intends  to  announce  a                                                              
successful bidder  shortly. The Department has removed  the social                                                              
security number off  of the health cards and no  longer requires a                                                              
person  to  use  their  social   security  number  to  access  the                                                              
Retirement and Benefits website.                                                                                                
9:31:27 AM                                                                                                                    
There is  a system in  place at the  Department of  Motor Vehicles                                                              
(DMV) that  allows the  Department to  "fingerprint" who  accesses                                                              
personal information  and so they are able to  identify a security                                                              
breach fairly quickly.                                                                                                          
The Department  is in  the midst of  deploying the Cisco  Security                                                              
System  and  that will  protect  the  state network  from  outside                                                              
attacks,  however a  breach of  security  could be  costly to  the                                                              
state because  as the  bill is  drafted, the  state would  have to                                                              
send out over  600,000 notices if, for example,  a security breach                                                              
happened  at  the  DMV.  The Department  would  like  to  see  the                                                              
notices  only   required  when   there  is  personal   information                                                              
released but then again, not if that information were encrypted.                                                                
9:34:01 AM                                                                                                                    
The  bill  does  not  clarify  whether  the  Department  would  be                                                              
required   to  send  notices   only  to   the  individuals   whose                                                              
information was leaked.                                                                                                         
9:36:19 AM                                                                                                                    
Attacks come  in many  different forms, such  as a "botnik"  where                                                              
no  personal  information  is  accessed  but  it is  a  breach  of                                                              
security so  the Department would  be required to send  notices in                                                              
such a case.                                                                                                                    
9:37:41 AM                                                                                                                    
The  state currently  receives  time slips  and  leave slips  with                                                              
social security numbers  on them over the Internet.  It is the way                                                              
the current  system identifies  employees.  The Department  of Law                                                              
testified that  people applying for  jobs on the  Workplace Alaska                                                              
website are  required to  enter their  social security  number and                                                              
that enables them to do a background check as well.                                                                             
9:39:30 AM                                                                                                                    
Regarding  payroll  reports and  W2s,  the Division  of  Personnel                                                              
maintains records off-site  and requires a key code  to enter into                                                              
the  records  system.  The  Department is  open  to  updating  the                                                              
security for that system.                                                                                                       
9:40:18 AM                                                                                                                    
SENATOR  GUESS asked  Mr.  Tibbles  whether a  typical  encryption                                                              
code could be broken.                                                                                                           
MR. TIBBLES implied that it could.                                                                                              
SENATOR  GUESS noted  that page  16 lines  3-5 in  the bill  would                                                              
allow for  an entity to obtain  a social security number  over the                                                              
Internet  if it  is encrypted.  She  said it  is  now possible  to                                                              
perform a background check without a social security number.                                                                    
9:42:51 AM                                                                                                                    
CHAIR SEEKINS asked  Mr. Tibbles whether he was aware  of any part                                                              
of the state system  that is easily accessible for  the purpose of                                                              
aiding in identity theft.                                                                                                       
MR. TIBBLES  said the DMV is  sometimes mandated to  give personal                                                              
information  to outside  parties  such as  tow-truck drivers.  The                                                              
statute  requires them  to also  provide  personal information  to                                                              
law enforcement.  Under federal  law, the  DMV is also  authorized                                                              
to provide  personal information  to credit agencies.  The statute                                                              
also allows for  a person to provide consent to  another person to                                                              
get information from the DMV.                                                                                                   
9:46:14 AM                                                                                                                    
CHAIR  SEEKINS  asked  whether  most employees  of  the  State  of                                                              
Alaska   have  a   state  identification   card   with  a   unique                                                              
identifying number.                                                                                                             
MR. TIBBLES  responded that  is the goal  but it is  not currently                                                              
possible  to re-code  them  from  a social  security  number to  a                                                              
different  number. The  Cisco Security  system  should solve  that                                                              
problem once it is up and running.                                                                                              
[Chair Seekins then  accessed the DMV website from  his laptop and                                                              
cited  all  of the  information  that  he  could obtain  from  the                                                              
website, noting  that all he had to  do was certify that  he was a                                                              
business owner  and that the information  obtained was to  be used                                                              
strictly for business purposes.]                                                                                                
9:49:09 AM                                                                                                                    
MR. TIBBLES  responded with  an example of  a recall  notice where                                                              
manufacturers  obtain personal  information in  order to  send out                                                              
recall notices.                                                                                                                 
CHAIR SEEKINS  said the  concern was  the amount  of leaks  in the                                                              
system that could be used to access information.                                                                                
SENATOR  THERRIAULT  added there  are  shelves full  of  documents                                                              
that have social security numbers on them.                                                                                      
9:52:47 AM                                                                                                                    
SENATOR GUESS requested  that Mr. Tibbles submit  to the committee                                                              
more specific examples of issues in the system.                                                                                 
9:54:16 AM at ease 10:04:19 AM.                                                                                             
Senator Hollis French joined the meeting.                                                                                       
CHAIR  SEEKINS noted  there  were  no other  people  signed up  to                                                              
testify. He held SB 222 in committee.                                                                                           

Document Name Date/Time Subjects