Legislature(2007 - 2008)BELTZ 211
03/04/2008 01:30 PM Senate LABOR & COMMERCE
| Audio | Topic |
|---|---|
| Start | |
| SB289 | |
| SB293 | |
| HB65 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| *+ | SB 289 | TELECONFERENCED | |
| *+ | SB 293 | TELECONFERENCED | |
| + | HB 65 | TELECONFERENCED | |
| += | SB 147 | TELECONFERENCED | |
CSHB 65(FIN)-PERSONAL INFORMATION & CONSUMER CREDIT
2:30:23 PM
CHAIR ELLIS announced CSHB 65(FIN) to be up for consideration.
KAREN LIDSTER, staff to Representative John Coghill, co-sponsor
of HB 65, presented a sectional analysis of the bill. Section 1
talks about the care of records and how they are to be managed
from creation to disposal. Section 2 adds a new paragraph
relating to the breach of security involving personal
information. Section 3 adds a new Chapter to AS 45 on personal
information protection act with seven articles - the substance
of the bill.
MS. LIDSTER said Article 1 describes what is required if there
is a breach of information and definitions. Article 2, pages 7-
16, allows a consumer to put a freeze on their personal
information and tells how to lift it as well. Article 3, on
pages 16-21, establishes parameters for the collection, use,
sale loan or trade of social security numbers; it also provides
for exceptions and penalties. Article 4, pages 21-24, outlines
the measures to follow when disposing of personal information;
it also provides for exceptions, penalties and definitions.
2:34:47 PM
Article 5, pages 24-26, outlines the rights an individual has
when trying to establishing their innocence after their identity
has been stolen. Article 6, pages 26-27, describes the limits on
businesses regarding the printing of credit or debit card
numbers on consumer receipts and allows the last four digits on
receipts. Article 7, pages 27-29, provides for the definitions
and cites the short title.
2:38:33 PM
Significant changes include giving a business the time to decide
whether harm was caused if there was a breach in their
information (page 2, lines 19-24). The breach needs to be
documented, but notification is not required. The damages
section was changed to target arbitrary lawsuits against large
businesses that might have a breach or mishandle it without any
harm being done to them personally by adding "actual economic
damages" on the civil side of the penalties. The definition of
personal information was narrowed down to delete information
that is easily or readily available or public information.
2:40:02 PM
MEAGAN FOSTER, staff to Representative Les Gara, co-sponsor of
HB 65, added they have worked hard on this bill for a number of
years and that they would be happy to answer questions.
2:40:54 PM
GAIL HILLEBRAND, Financial Services Campaign Manager, Consumer's
Union, San Francisco, said Consumer's Union is a non-profit
publisher of Consumer Reports. Its mission is to test, inform
and protect, and she is with the protective pieces of the
organization.
She said HB 65 is a moderate but strong measure and that
identity theft is now a world wide crime. The crook can be
anywhere in the world, and the victim can be anyone with good
credit. HB 65 offers prevention as the best remedy, and it does
it in a couple of ways. Article 1 provides notice of breach
which tells consumers when certain very narrowly defined
categories of important information have been released to the
public, stolen or lost and might be in the hands of a crook.
More than 35 states have enacted some legislation on this issue.
Alaska takes an in-between approach by narrowing the scope of
the information, saying it has to include the consumer's name
and that a determination cannot be made that there is no risk
before a consumer has to be told about it.
With a security freeze the concept is the consumer gets to lock
up who gets to see their credit files. Everyone gets a choice of
using it with a state security freeze law.
MS. HILLEBRAND said the pricing and fees are kind of in the mid-
range and she pointed out that in Indiana consumers pay no fees
and Montana has them pay $3/pop. She summarized that "it's kind
of a mid-range but well-crafted proposal."
She said this measure has some social security provisions that
are common in a dozen or more states such as don't print social
security numbers on a card and don't mail it except in certain
circumstances. She said they were very pleased to support this
measure.
2:44:00 PM
STEVE CLEARY, Executive Director, Alaska Public Interest
Research Group (AKPIRG), supported HB 65. He said this issue had
been on their front burner for a number of years. Identity theft
costs consumers time and money and on the average it takes over
200 hours to clear a name.
2:46:59 PM
JOHN BURTON, Vice President, Government Relations, Choice Point,
said it is a publicly traded company that provides data and
information services to businesses, government, legal and law
enforcement communities at the local, state and federal level.
They don't make loans, but help facilitate them with their
products. He said they had spent a lot of time on this bill on
the House side and that he would continue to work with them on
it. He said HB 65 is "quite a large bill" and covers three
primary issues: social security number regulation, data breach
notification and the credit breaches. While he had on-going
concerns about many of those provisions, he said he would focus
his comments on the social security number provisions.
MR. BURTON clarified that Choice Point and companies like it
don't oppose these issues. Approximately 39 states have passed
credit freeze legislation. The three national credit reporting
agencies have voluntarily adopted this procedure where a person
can call up and freeze access to their credit report. Another 39
states have already passed breached notification bills, and
approximately 29 states have passed legislation that seeks to
protect the public access and availability of social security
numbers. Most of these states are modeled after the California
law. His interests are two-fold, he said: state by state
consistency and Choice Point's ability to be compliant with all
of them. None of the state laws are exactly identical, but he
works to get them as consistent as possible on core
applications.
2:49:38 PM
MR. BURTON said all companies like Choice Point that do
activities related to non-public personal information (which
could include social security numbers) are already regulated on
the federal level in addition to whatever state laws may be in
existence; these include the federal Fair Credit Reporting Act,
the Gramm-Leach-Bliley Act and to a lesser extent, the federal
Drivers Privacy Protection Act. If companies like his can't work
under these laws, services will become slower, less efficient
and more expensive. An interruption in services that are taken
for granted now could occur - like the ability to walk in and
get on-the-spot credit and the ability to get an instant binder
from an insurance company to buy a car and drive it off the lot.
Unfortunately, Mr. Burton said, as drafted the bill does not
give them the kind of state by state allowance to continue their
operations - even under existing federal law. They have far less
problem with the legislative aspect of this bill than with the
legal aspect. Many provisions that are in other state laws that
they need in this bill are there, but as drafted they don't have
any legal effect. So, he asked them not to delete anything, but
to redraft certain sections.
2:51:27 PM
SENATOR DAVIS asked for a copy of his drafted legal concerns.
2:52:02 PM
AUDREY ROBINSON, Reed Elsevier, said they own Lexus Nexus, and
provide legal services like looking up case law and public
records information. However, they also provide many of the same
services that Choice Point provides and she echoed Mr. Burton's
sentiments. She didn't oppose HB 65, but wanted it to be
consistent and workable for businesses. She wanted to focus on
the social security provisions and how they would affect
business here.
First it involves Patriot Act compliance. Under that federal
law, banks are required to get identifying information,
including a social security number, to check against a known
terror watch list. They do this to make sure the person opening
the account isn't funding fundamental extremists or terrorism.
Reed Elsevier maintains those lists, but the banks don't. The
banks can gather that information through the Patriot Act, but
they would no longer be able to transmit it to her to check
against the terror watch list, and they similarly wouldn't be
able to transmit it back to them so they could issue a bank
account. Though the bill seeks to say that federal and state
laws would not be harmed by this, they would say their business
practices would, in fact, be harmed by not being able to engage
in that transaction.
2:54:48 PM
An additional transaction Reed Elsevier wouldn't be able to
engage in is reporting judgments for credit reporting purposes.
They receive lien and judgment information from states and when
this information is transmitted to them it has social security
numbers for matching to the appropriate person. Under this bill,
they would no longer be able to collect that information or
transmit it to the credit bureaus. If credit bureaus can't
receive the judgment information from them, it won't appear on
the credit report, and if that's the case, she didn't think the
judgment would be satisfied. She asked the committee to keep the
status quo for businesses that are using social security numbers
for legitimate business purposes.
CHAIR ELLIS asked if the problem is that the bill drafting needs
to have legal import.
MS. ROBINSON replied yes. For example the Fair Credit Reporting
Act gives seven permissible uses for non-public personal
information which includes the social security number; she
clarified that they are "permitted" to use them under this act.
They are also "authorized" to get it under the Gramm-Leach-
Bliley Act. The language in the bill isn't consistent and refers
to "authorized use" and "express authorized use". It's a
semantic issue that needs to match with federal language that
says "permits."
2:57:35 PM
KEVIN BROOKS, Deputy Commissioner, Department of Administration,
said he is pleased with the amendments. But he said the
Department of Law still has concerns over exposure issues. The
state collects data from many different sources like vital
statistics, motor vehicles or the Permanent Fund. Through
governing it is required to collect and keep data on citizens of
the state and others.
MR. BROOKS explained that their networks and systems had been
developed incrementally over the last 20-plus years and they are
doing as thorough of an analysis as they can on the state's
security. The state had a data breach when some of its servers
were breached in January 2005. Since that time they have been
making significant investments in security infrastructure, and
he anticipates having to continue doing that. He said security
folks tell him it happens on a daily basis now, and it's not
someone in their garage anymore. It's often very sophisticated
government to government operations.
CHAIR ELLIS asked if he shared private business concerns about
semantic language issues.
MR. BROOKS answered that is beyond his purview, and he suggested
asking Mr. Sniffen at the Department of Law about it.
3:01:17 PM
ED SNIFFEN, Department of Law (DOL), said he would look into
questions and get back to them.
3:01:54 PM
SENATOR STEVENS stated the key issue is if businesses have to
react to passed laws, that it is the responsibility of Mr.
Brooks and others in the administration to meet with those
people and let the legislature know if it's true or not so they
can decide how to proceed.
3:02:59 PM
PAT LUBY, Advocacy Director, AARP, said identity theft is a
growing concern for its members. He said many veterans went
through this experience when the Army's computer was stolen,
because their social security numbers were used as their Army
identification numbers. He and Senator Stevens have just dealt
with it, and until they were notified, the computer located and
no breach was found, many veterans had a certain anxiety.
He said one of the concerns is the impact on business throughout
the U.S. of all the identity theft that takes place. It costs
millions for the individuals who have lost their identity and
have money stolen from them, but it costs billions for many of
the businesses that have suffered losses because of identity
theft. Finally, he said AARP studies identity theft because it
is a very serious issue for its members; but it's also a health
issue. Research has shown that identity theft victims have a
higher death rate than non-victims. "Identity theft can kill
you."
MR. LUBY said HB 65 builds on some excellent work that Senator
Gene Therriault and Senator Gretchen Guess worked on in the last
session. "It was good a couple of years ago, it's even better
right now, and we encourage your positive support of it."
CHAIR ELLIS remarked that his bill was subsumed into the
Therriault/Guess effort. He said HB 65 would be held for further
work. There being no further business to come before the
committee, he adjourned the meeting at 3:05:50 PM.
| Document Name | Date/Time | Subjects |
|---|