Legislature(2005 - 2006)BUTROVICH 205

03/01/2006 08:30 AM JUDICIARY


Download Mp3. <- Right click and save file as

* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ SB 252 DEFINITION OF CHILD ABUSE AND NEGLECT TELECONFERENCED
<Bill Hearing Canceled>
+= SB 301 CHANGE OF VENUE IN CIVIL CASES TELECONFERENCED
Heard & Held
+= SB 249 REPORTING BAIL AND RELEASE INFORMATION TELECONFERENCED
Scheduled But Not Heard
+ Bills Previously Heard/Scheduled TELECONFERENCED
= SJR 20 CONST. AM: BENEFITS & MARRIAGE
Moved SJR 20 Out of Committee
= SB 216 BAIL RESTRICTIONS
Moved CSSB 216(JUD) Out of Committee
= SB 222 PROTECTION OF PERSONAL INFORMATION
Heard & Held
= SB 284 SENTENCING FOR ALCOHOL-RELATED CRIMES
Heard & Held
           SB 222-PROTECTION OF PERSONAL INFORMATION                                                                        
                                                                                                                                
9:31:07 AM                                                                                                                    
CHAIR RALPH SEEKINS announced SB 222 to be up for consideration.                                                                
                                                                                                                                
SENATOR  GRETCHEN  GUESS, sponsor,  asked  for  the testimony  of                                                               
David Lawer.                                                                                                                    
                                                                                                                                
9:31:46 AM                                                                                                                    
DAVID  LAWER,  Senior  Vice President,  First  National  Bank  of                                                               
Alaska testified  on Section  1, Personal  Information Protection                                                               
Act. He said  SB 222 has far reaching implications,  not only for                                                               
financial institutions  but also for  every person in  the state.                                                               
He said the bill poses substantial  risks for all people and that                                                               
violations would  be brought about for  situations where personal                                                               
information was not even divulged.                                                                                              
                                                                                                                                
9:33:57 AM                                                                                                                    
MR.   LAWER   asserted   financial  institutions   have   intense                                                               
information   security  systems   yet   they   can  be   breached                                                               
unintentionally.  He  said he  left  his  computer on  the  night                                                               
before and the janitor could  have accessed his accounts. He said                                                               
SB 222  would make  the bank  notify over  55,000 people  of that                                                               
security breach.                                                                                                                
                                                                                                                                
9:36:08 AM                                                                                                                    
MR. LAWER  said the bank  shares personal information  with other                                                               
entities such as  their credit card system. Taking the  bill to a                                                               
personal level, he  said as a landlord,  he possesses information                                                               
regarding his tenant and said he  would be in violation of SB 222                                                               
if he were  to leave a rent  check on his desk at  home. He hoped                                                               
that was  not the  intended consequences  of the  legislation. He                                                               
advised the committee that he  had technical amendments suggested                                                               
by other banking officials to submit.                                                                                           
                                                                                                                                
9:38:27 AM                                                                                                                    
SENATOR THERRIAULT noted  he and Senator Guess  were studying the                                                               
different suggestions made  and were attempting to  strike a fair                                                               
balance. He asked  the reason that the public  shouldn't expect a                                                               
tighter security system at the bank.                                                                                            
                                                                                                                                
MR.  LAWER conceded  the consumer  should expect  better security                                                               
and said  his computer  at work  has a series  of passwords  as a                                                               
firewall. His  worry was  that simply by  having a  janitor alone                                                               
his office with his computer would  be a breach of security as he                                                               
sees  the bill  written.  Nevertheless, under  the definition  of                                                               
security breach  the bank would  be obliged to notify  the 55,000                                                               
customers of the incident.                                                                                                      
                                                                                                                                
9:41:24 AM                                                                                                                    
SENATOR FRENCH  questioned whether  it would be  a breach  when a                                                               
person attempted  to access a  computer but  was halted due  to a                                                               
password request.                                                                                                               
                                                                                                                                
MR. LAWER  said yes since there  was no definition of  "breach of                                                               
security" in the bill.                                                                                                          
                                                                                                                                
SENATOR GUESS  stated for edification, that  "breach of security"                                                               
is  defined on  page 3,  line  29, and  "information systems"  is                                                               
defined on page 24, line 12 in version I.                                                                                       
                                                                                                                                
9:43:53 AM                                                                                                                    
SENATOR  GUESS  said  she  was  unclear  whether  Mr.  Lawer  was                                                               
suggesting  that the  bill sponsors  add violations  for security                                                               
breaches within Section 1.                                                                                                      
                                                                                                                                
MR.  LAWER  responded  it  was   the  position  of  the  banker's                                                               
association that  the violation be  "the failure to  disclose the                                                               
fact  of unauthorized  disclosure of  the information,"  and they                                                               
need only alert the person  whose information they have reason to                                                               
believe was compromised.                                                                                                        
                                                                                                                                
9:46:08 AM                                                                                                                    
CHAIR  SEEKINS asked  the number  of people  in the  bank systems                                                               
that have access to information  that would be protected under SB                                                               
222.                                                                                                                            
                                                                                                                                
MR.   LAWER  said   everyone.  Every   account  starts   with  an                                                               
application  and   every  application   contains  not   only  the                                                               
customer's name but also one or more of the other elements.                                                                     
                                                                                                                                
CHAIR SEEKINS asked whether they  were required by federal law to                                                               
obtain a person's social security number.                                                                                       
                                                                                                                                
MR. LAWER said correct.                                                                                                         
                                                                                                                                
CHAIR SEEKINS  asked Mr. Lawer  to describe security  measures as                                                               
pertained to by federal law.                                                                                                    
                                                                                                                                
MR.  LAWER said  they perform  periodic risk  assessments and  in                                                               
circumstances where  they detect the possibility  of unauthorized                                                               
disclosure  they notify  customers about  that circumstance.  The                                                               
regulations  are   fluid.  The  bank  is   examined  and  audited                                                               
annually, including  the security system  and the systems  of the                                                               
entities they contract  with. The scope of  the audit continually                                                               
increases  and  as a  result,  identifies  the need  for  greater                                                               
security measures.                                                                                                              
                                                                                                                                
9:49:08 AM                                                                                                                    
Credit card companies are a good  example. The bank is obliged to                                                               
see to the integrity of that security system as well.                                                                           
                                                                                                                                
CHAIR  SEEKINS asked  whether the  federal  regulators audit  the                                                               
security practices of the bank's contractors.                                                                                   
                                                                                                                                
MR. LAWER said yes.                                                                                                             
                                                                                                                                
CHAIR SEEKINS asked  whether they meet the same  standards as the                                                               
bank.                                                                                                                           
                                                                                                                                
MR. LAWER said he suspected they meet higher standards.                                                                         
                                                                                                                                
CHAIR SEEKINS asked whether the  auditors generally find areas of                                                               
weaknesses.                                                                                                                     
                                                                                                                                
MR.  LAWER   said  auditors  have   a  different   perception  of                                                               
weaknesses.  For instance  the last  audit suggested  a need  for                                                               
seven character  passwords that include  at least one  number. He                                                               
questioned whether  that constituted  a weakness in  the security                                                               
system.                                                                                                                         
                                                                                                                                
CHAIR  SEEKINS  asked  Mr.  Lawer  his opinion  of  the  risk  of                                                               
unauthorized penetration of the bank's security system.                                                                         
                                                                                                                                
MR. LAWER said he believed  their only exposure was internal. The                                                               
bank's  computer  systems  cannot   be  accessed  by  anyone  not                                                               
connected  internally. The  greater risk  is of  exposed physical                                                               
records and the bank has suffered a burglary in the past.                                                                       
                                                                                                                                
9:52:44 AM                                                                                                                    
CHAIR  SEEKINS  asked  Mr.  Lawer  whether  his  bank  had  clear                                                               
policies  for  employees  on  how  to  comply  with  all  privacy                                                               
policies.                                                                                                                       
                                                                                                                                
MR. LAWER said yes. They  support extensive personnel policies as                                                               
well as other procedures relating to information security.                                                                      
                                                                                                                                
CHAIR SEEKINS announced a brief recess at 9:53:35 AM.                                                                         
                                                                                                                                
9:53:53 AM                                                                                                                    
CHAIR SEEKINS held the bill in committee.                                                                                       

Document Name Date/Time Subjects