Legislature(2005 - 2006)BUTROVICH 205
03/01/2006 08:30 AM JUDICIARY
Download Mp3. <- Right click and save file as
* first hearing in first committee of referral
= bill was previously heard/scheduled
= bill was previously heard/scheduled
SB 222-PROTECTION OF PERSONAL INFORMATION 9:31:07 AM CHAIR RALPH SEEKINS announced SB 222 to be up for consideration. SENATOR GRETCHEN GUESS, sponsor, asked for the testimony of David Lawer. 9:31:46 AM DAVID LAWER, Senior Vice President, First National Bank of Alaska testified on Section 1, Personal Information Protection Act. He said SB 222 has far reaching implications, not only for financial institutions but also for every person in the state. He said the bill poses substantial risks for all people and that violations would be brought about for situations where personal information was not even divulged. 9:33:57 AM MR. LAWER asserted financial institutions have intense information security systems yet they can be breached unintentionally. He said he left his computer on the night before and the janitor could have accessed his accounts. He said SB 222 would make the bank notify over 55,000 people of that security breach. 9:36:08 AM MR. LAWER said the bank shares personal information with other entities such as their credit card system. Taking the bill to a personal level, he said as a landlord, he possesses information regarding his tenant and said he would be in violation of SB 222 if he were to leave a rent check on his desk at home. He hoped that was not the intended consequences of the legislation. He advised the committee that he had technical amendments suggested by other banking officials to submit. 9:38:27 AM SENATOR THERRIAULT noted he and Senator Guess were studying the different suggestions made and were attempting to strike a fair balance. He asked the reason that the public shouldn't expect a tighter security system at the bank. MR. LAWER conceded the consumer should expect better security and said his computer at work has a series of passwords as a firewall. His worry was that simply by having a janitor alone his office with his computer would be a breach of security as he sees the bill written. Nevertheless, under the definition of security breach the bank would be obliged to notify the 55,000 customers of the incident. 9:41:24 AM SENATOR FRENCH questioned whether it would be a breach when a person attempted to access a computer but was halted due to a password request. MR. LAWER said yes since there was no definition of "breach of security" in the bill. SENATOR GUESS stated for edification, that "breach of security" is defined on page 3, line 29, and "information systems" is defined on page 24, line 12 in version I. 9:43:53 AM SENATOR GUESS said she was unclear whether Mr. Lawer was suggesting that the bill sponsors add violations for security breaches within Section 1. MR. LAWER responded it was the position of the banker's association that the violation be "the failure to disclose the fact of unauthorized disclosure of the information," and they need only alert the person whose information they have reason to believe was compromised. 9:46:08 AM CHAIR SEEKINS asked the number of people in the bank systems that have access to information that would be protected under SB 222. MR. LAWER said everyone. Every account starts with an application and every application contains not only the customer's name but also one or more of the other elements. CHAIR SEEKINS asked whether they were required by federal law to obtain a person's social security number. MR. LAWER said correct. CHAIR SEEKINS asked Mr. Lawer to describe security measures as pertained to by federal law. MR. LAWER said they perform periodic risk assessments and in circumstances where they detect the possibility of unauthorized disclosure they notify customers about that circumstance. The regulations are fluid. The bank is examined and audited annually, including the security system and the systems of the entities they contract with. The scope of the audit continually increases and as a result, identifies the need for greater security measures. 9:49:08 AM Credit card companies are a good example. The bank is obliged to see to the integrity of that security system as well. CHAIR SEEKINS asked whether the federal regulators audit the security practices of the bank's contractors. MR. LAWER said yes. CHAIR SEEKINS asked whether they meet the same standards as the bank. MR. LAWER said he suspected they meet higher standards. CHAIR SEEKINS asked whether the auditors generally find areas of weaknesses. MR. LAWER said auditors have a different perception of weaknesses. For instance the last audit suggested a need for seven character passwords that include at least one number. He questioned whether that constituted a weakness in the security system. CHAIR SEEKINS asked Mr. Lawer his opinion of the risk of unauthorized penetration of the bank's security system. MR. LAWER said he believed their only exposure was internal. The bank's computer systems cannot be accessed by anyone not connected internally. The greater risk is of exposed physical records and the bank has suffered a burglary in the past. 9:52:44 AM CHAIR SEEKINS asked Mr. Lawer whether his bank had clear policies for employees on how to comply with all privacy policies. MR. LAWER said yes. They support extensive personnel policies as well as other procedures relating to information security. CHAIR SEEKINS announced a brief recess at 9:53:35 AM. 9:53:53 AM CHAIR SEEKINS held the bill in committee.