Legislature(2005 - 2006)BUTROVICH 205
02/27/2006 08:30 AM JUDICIARY
Download Mp3. <- Right click and save file as
* first hearing in first committee of referral
= bill was previously heard/scheduled
= bill was previously heard/scheduled
SB 222-PROTECTION OF PERSONAL INFORMATION 8:46:03 AM CHAIR RALPH SEEKINS announced SB 222 to be up for consideration. GAIL VOITLANDER, Chief Assistant Attorney General, Department of Law (DOL), introduced herself and advised the committee that she was pinch hitting for Assistant Attorney General Ed Sniffen who was involved with the bill and far more knowledgeable about the consumer implications. She limited her testimony to how the bill would affect the state and its employees. Personal information is a primary tool in state government to use to ensure that, when it takes action about someone, such as collections activities and criminal prosecution, they have the correct person that they are acting upon. For this reason the state tends to have multiple identifiers to ensure they have the correct state action. 8:48:44 AM There is no utility in making states liable so long as they do have a legal obligation to comply with the law. The DOL would recommend in terms of liability that the bill would impose for claims against the state to insert a subsection (d) on page 3 to say, an action may not be brought against a governmental entity or its employees. The state is such a target for frivolous lawsuits that the DOL believes this to be necessary. 8:51:23 AM CHAIR SEEKINS asked Ms. Voitlander whether she was saying that the state never reveals collected information and that they never supply or sell it to outside entities. MS. VOITLANDER clarified state procedures require certain information be used. For example, the Criminal Division of the DOL discloses social security information regularly to the court in connection with criminal prosecution. The Human Services and Collections section of the DOL collect and disclose personal information to pursue collections of judgment. The Department of Motor Vehicles (DMV) obtains and uses social security numbers in many contexts. The Alaska Commission on Post Secondary Education collects personal information and passes it along to credit agencies when a borrower defaults on loans. To say that the state sells the information would suggest that there is a profit motivation, but it is not a profit generating system. 8:54:48 AM CHAIR SEEKINS suggested it was not the intent of the bill sponsors to limit the internal transfer of identifiers among state agencies. SENATOR GENE THERRIAULT responded that language already in the bill would cover much of that concern, such as if the transfer is required by state or federal law. He suggested there were probably many instances where the state needs to tighten down its procedures and provide better consumer protection. CHAIR SEEKINS asked whether it was the intent of the DOL to try to shield a state employee who was acting outside of the normal course of their duties. MS. VOITLANDER said the suggested language doesn't differentiate in terms of motivation. If a state employee were acting wrongly they would be the subject of disciplinary action. 8:57:55 AM MS. VOITLANDER suggested that Mr. Sniffen should weigh in on the bill the next time it is heard. 8:59:11 AM SENATOR GRETCHEN GUESS commented the impetus of the bill was due to the population's desire for privacy. She said, "We have the situation where the state has most of the data on us and ... I haven't heard of any situations of selling it for profit but [the data] has been disclosed in Alaska." It is not the intent to limit the bill to the private sector. Also the bill does not prohibit transfer of the social security number within a state entity, but it does prohibit transfer to a third party. 9:01:09 AM CHAIR SEEKINS speculated that the penalty for a state employee who purposefully discloses private information would be substantial. 9:02:17 AM PAT LUBY, Advocacy Director for AARP, testified in support of SB 222. Their only concern is the preemption clause on page 22. "Alaska should be assertive and aggressive in defending our citizens," he said. 9:05:40 AM ELIZABETH MOCERI, Regional Counsel for Allstate Insurance, asked for the bill sponsors to examine the insurance industry and perhaps create a "carve-out" provision so that they can continue to use credit information for claims adjustment. 9:07:25 AM CHAIR SEEKINS asked Ms. Moceri the reason the industry would need a carve-out provision. MS. MOCERI replied when a person applies in for automobile insurance in order to drive that day and they have a freeze on their credit information then the insurance company would be unable to provide them with a rate. Also, people buying a house don't want to wait for several days to get their quote because they need to close the deal. 9:09:10 AM SENATOR GUESS asked Ms. Moceri whether the insurance company could offer an estimated rate until the credit is lifted. MS. MOCERI countered it would not be the correct rate. Under Alaska law a person has a right to request a review of their credit but there would be no system in place that would allow for a consumer to shop around for the best rate. 9:12:06 AM SENATOR GUESS commented when a person chooses to freeze their credit information they have made a personal choice knowing the consequences. SENATOR THERRIAULT noted the consumer would be aware that a voluntary credit information freeze would make them ineligible for things such as getting an instant credit card. He said if a person chooses to freeze their credit they just have to be mindful of the consequences. 9:14:15 AM CHAIR SEEKINS asked Ms. Moceri whether she had any information on the percentage of people who would actually freeze their information. MS. MOCERI advised that it is only 5/100 of 1 percent. 9:19:22 AM KENTON BRINE, Insurance Agent, Property Casualty Insurance Association of America, agreed with the concerns expressed by Ms. Moceri and said insurance companies want to continue to provide their customers with the best access to the best rates. He suggested the committee consider redefining the definition of "credit reports" to apply only to credit reports that are sought for the purpose of determining eligibility for the extension of credit. 9:21:26 AM MR. BRINE said insurers are different. They do access credit reports but not for the purpose of determining whether to loan someone money. They do not share information with third parties. The goal is to provide access to consumers but what also should be considered is the large amounts of systemic changes that the industry would have to employ for such a small amount of people, referencing the 5/100 of 1 percent figure. He suggested the committee look at other states so that there can be some uniformity. 9:23:23 AM SENATOR GUESS referred to the trend of insurance companies consolidating with other financial companies and asked whether information was being shared within the company for other financial services. MR. BRINE said he believed it was eligible to be. CHAIR SEEKINS asked for an example of the process used within the property casualty insurance business where they would need the credit information and how timeliness has an effect. MR. BRINE replied when a consumer shops for insurance it would make a difference whether they receive an accurate rate. He estimated that it would be difficult for the consumer to place or lift a freeze on their credit and implied that it might add to the overall cost of insurance for everyone. 9:26:39 AM CHAIR SEEKINS asked what questions are asked when people shop online for insurance. MR. BRINE said it was different from company to company. 9:28:01 AM MIKE TIBBLES, Deputy Commissioner, Department of Administration (DOA), spoke about some initiatives that the Department has taken in regards to confidentiality of consumer information. Every employee must sign a confidentiality statement. 9:29:31 AM Last year the Department requested $20 million dollars for a new payroll system, which will move employee records from a social security base to an employee identification base. The bid process is currently active and he intends to announce a successful bidder shortly. The Department has removed the social security number off of the health cards and no longer requires a person to use their social security number to access the Retirement and Benefits website. 9:31:27 AM There is a system in place at the Department of Motor Vehicles (DMV) that allows the Department to "fingerprint" who accesses personal information and so they are able to identify a security breach fairly quickly. The Department is in the midst of deploying the Cisco Security System and that will protect the state network from outside attacks, however a breach of security could be costly to the state because as the bill is drafted, the state would have to send out over 600,000 notices if, for example, a security breach happened at the DMV. The Department would like to see the notices only required when there is personal information released but then again, not if that information were encrypted. 9:34:01 AM The bill does not clarify whether the Department would be required to send notices only to the individuals whose information was leaked. 9:36:19 AM Attacks come in many different forms, such as a "botnik" where no personal information is accessed but it is a breach of security so the Department would be required to send notices in such a case. 9:37:41 AM The state currently receives time slips and leave slips with social security numbers on them over the Internet. It is the way the current system identifies employees. The Department of Law testified that people applying for jobs on the Workplace Alaska website are required to enter their social security number and that enables them to do a background check as well. 9:39:30 AM Regarding payroll reports and W2s, the Division of Personnel maintains records off-site and requires a key code to enter into the records system. The Department is open to updating the security for that system. 9:40:18 AM SENATOR GUESS asked Mr. Tibbles whether a typical encryption code could be broken. MR. TIBBLES implied that it could. SENATOR GUESS noted that page 16 lines 3-5 in the bill would allow for an entity to obtain a social security number over the Internet if it is encrypted. She said it is now possible to perform a background check without a social security number. 9:42:51 AM CHAIR SEEKINS asked Mr. Tibbles whether he was aware of any part of the state system that is easily accessible for the purpose of aiding in identity theft. MR. TIBBLES said the DMV is sometimes mandated to give personal information to outside parties such as tow-truck drivers. The statute requires them to also provide personal information to law enforcement. Under federal law, the DMV is also authorized to provide personal information to credit agencies. The statute also allows for a person to provide consent to another person to get information from the DMV. 9:46:14 AM CHAIR SEEKINS asked whether most employees of the State of Alaska have a state identification card with a unique identifying number. MR. TIBBLES responded that is the goal but it is not currently possible to re-code them from a social security number to a different number. The Cisco Security system should solve that problem once it is up and running. [Chair Seekins then accessed the DMV website from his laptop and cited all of the information that he could obtain from the website, noting that all he had to do was certify that he was a business owner and that the information obtained was to be used strictly for business purposes.] 9:49:09 AM MR. TIBBLES responded with an example of a recall notice where manufacturers obtain personal information in order to send out recall notices. CHAIR SEEKINS said the concern was the amount of leaks in the system that could be used to access information. SENATOR THERRIAULT added there are shelves full of documents that have social security numbers on them. 9:52:47 AM SENATOR GUESS requested that Mr. Tibbles submit to the committee more specific examples of issues in the system. 9:54:16 AM at ease 10:04:19 AM. Senator Hollis French joined the meeting. CHAIR SEEKINS noted there were no other people signed up to testify. He held SB 222 in committee.