Legislature(2005 - 2006)BELTZ 211

01/24/2006 01:30 PM LABOR & COMMERCE


Download Mp3. <- Right click and save file as

* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
*+ SB 222 PROTECTION OF PERSONAL INFORMATION TELECONFERENCED
Heard & Held
*+ SB 207 AK AEROSPACE DEVEL. CORP BD MEMBERSHIP TELECONFERENCED
Heard & Held
Bills Previously Heard/Scheduled
           SB 222-PROTECTION OF PERSONAL INFORMATION                                                                        
                                                                                                                                
CHAIR CON BUNDE announced SB 222 to be up for consideration.                                                                    
                                                                                                                                
SENATOR  GRETCHEN  GUESS,  co-sponsor  of SB  222,  recapped  the                                                               
purpose of the bill saying that  the problem of identify theft is                                                               
worse this year than last.                                                                                                      
                                                                                                                                
1:38:00 PM                                                                                                                    
SENATOR GENE  THERRIAULT, co-sponsor of  SB 222, said he  read an                                                               
article that  said 1,600 cases  of fraud and identify  theft were                                                               
reported  in  2004;  of  those,   400  were  identity  theft.  He                                                               
explained  that it  is very  difficult  to get  control of  one's                                                               
economic and personal  data once it has  been stolen. Recognizing                                                               
that consumers benefit from rapid  data availability, he realized                                                               
that simply freezing  data wouldn't allow stores  quick access to                                                               
information on customers who are  applying for a credit card, for                                                               
instance,  to take  advantage of  a  special sale;  and he  still                                                               
wanted  to give  consumers the  option  of being  able to  freeze                                                               
access to their data.                                                                                                           
                                                                                                                                
1:43:41 PM                                                                                                                    
CHAIR  BUNDE asked  if he  also envisioned  an instant  "opt out"                                                               
option so  that a credit  report could  be quickly obtained  by a                                                               
business that  has had  a person  apply for  one of  their credit                                                               
cards. He also asked how quickly  a person could apply the remedy                                                               
if his information had been stolen and used.                                                                                    
                                                                                                                                
SENATOR  THERRIAULT   responded  that  that  is   what  he  hoped                                                               
testimony would cover today.                                                                                                    
                                                                                                                                
1:44:50 PM                                                                                                                    
SENATOR  RALPH SEEKINS  asked what  interstate implications  this                                                               
bill would  have, since it  would be  Alaska law and  most credit                                                               
bureaus   that  are   accessed  for   personal  information   are                                                               
headquartered outside of Alaska.                                                                                                
                                                                                                                                
SENATOR THERRIAULT responded that the  state has the authority to                                                               
regulate  those   companies,  because  they  are   responding  to                                                               
inquiries of businesses within the state of Alaska.                                                                             
                                                                                                                                
SENATOR  SEEKINS asked  what if  a  customer was  in Seattle  and                                                               
there's a big  sale at Nordstrom's and he had  frozen his account                                                               
in  Alaska,  would  there  be a  statutory  requirement  for  the                                                               
enquiry to be frozen.                                                                                                           
                                                                                                                                
SENATOR THERRIAULT  replied, "I  don't think  that's the  way the                                                               
system works." He surmised that  for someone who had acquired his                                                               
data and  pretended to be  him, the  law would be  meaningless in                                                               
every one of the other states.                                                                                                  
                                                                                                                                
1:48:23 PM                                                                                                                    
SENATOR  SEEKINS  asked  where   the  definition  of  information                                                               
collector is located.                                                                                                           
                                                                                                                                
SENATOR GUESS replied that that definition  is on page 4, lines 6                                                               
- 8  and an information  collector is a  person who owns  or uses                                                               
personal information in any form... on a state resident.                                                                        
                                                                                                                                
SENATOR SEEKINS  asked if a  person who  wrote down his  zip code                                                               
was, by definition, an information collector.                                                                                   
                                                                                                                                
SENATOR  GUESS  replied  no and  that  the  personal  information                                                               
definition  is on  page 4,  lines  9 -  28 and  talks about  what                                                               
personal information is and, therefore, what it is not.                                                                         
                                                                                                                                
SENATOR SEEKINS  stated he thought  that definition needed  to be                                                               
clarified.                                                                                                                      
                                                                                                                                
1:51:44 PM                                                                                                                    
SENATOR  GUESS  asked if  Senator  Seekins  was referring  to  an                                                               
Alaskan resident  who may  be in Washington  who either  wants to                                                               
freeze or unfreeze his credit report.                                                                                           
                                                                                                                                
SENATOR  SEEKINS  rephrased his  question  stating  that the  law                                                               
would  apply to  all businesses  working  in Alaska,  but if  the                                                               
headquarters of  ABC Rating Company,  for instance, is  in Kansas                                                               
City (that  recognizes our state  law) and the enquiry  is coming                                                               
from  the  Nordstrom Store  in  downtown  Seattle, does  the  ABC                                                               
Reporting Company  have any statutory requirement  not to provide                                                               
that - even though the customer froze his report in Alaska.                                                                     
                                                                                                                                
SENATOR  THERRIAULT replied  that  the State  of  Alaska has  the                                                               
power to  regulate a  business entity that  is housed  outside of                                                               
the state if it has agreed  and wants to transact business in the                                                               
state of Alaska.                                                                                                                
                                                                                                                                
1:54:05 PM                                                                                                                    
CHAIR  BUNDE  posed his  Bahamas  question.  An Alaskan  resident                                                               
freezes his credit information; he  wins the lottery and moves to                                                               
the Bahamas and  he hasn't taken the freeze off.  Does the freeze                                                               
stay there until he removes it - no matter where he resides.                                                                    
                                                                                                                                
SENATOR THERRIAULT indicated yes.                                                                                               
                                                                                                                                
SENATOR  SEEKINS   asked  for  a   report  on   that  situation's                                                               
enforceability  by  the time  this  bill  came to  the  Judiciary                                                               
Committee.                                                                                                                      
                                                                                                                                
SENATOR THERRIAULT noted  that the bill breaks  down the controls                                                               
an individual  consumer can exert  over his information  and what                                                               
duties the companies  collecting the information have  to him, if                                                               
there is a breach of their internal security.                                                                                   
                                                                                                                                
1:56:01 PM                                                                                                                    
SENATOR SEEKINS asked about credit  accuracy on page 14. He asked                                                               
if  a person  disputes the  credit  information, does  he have  a                                                               
responsibility  to  report  it  immediately  to  the  information                                                               
collector.                                                                                                                      
                                                                                                                                
SENATOR  THERRIAULT replied  that the  business has  the duty  to                                                               
stop making reports.                                                                                                            
                                                                                                                                
1:58:05 PM                                                                                                                    
SENATOR JOHNNY ELLIS arrived.                                                                                                   
                                                                                                                                
1:58:52 PM                                                                                                                    
SENATOR GUESS responded  that language on page 14,  line 25, says                                                               
that   it  applies   to  those   companies   that  are   actually                                                               
distributing  the  information,  not  someone who  is  using  the                                                               
information.                                                                                                                    
                                                                                                                                
SENATOR SEEKINS  remarked that he didn't  want to end up  with an                                                               
affirmative responsibility  on the  part of  the merchant  who is                                                               
trying to gain information to make a credit decision.                                                                           
                                                                                                                                
2:00:24 PM                                                                                                                    
JOHN GEORGE,  American Council of  Life Insurers, said  that some                                                               
of his concerns  had been addressed, but he still  had issues. He                                                               
didn't think a  company should be required to do  business with a                                                               
person if  he refuses to give  it his social security  number. In                                                               
the life insurance business, he said:                                                                                           
                                                                                                                                
     We  need  to make  sure  that  we're paying  the  right                                                                    
     beneficiary.  We need  to know  that that's  absolutely                                                                    
     the  right  guy  and  a social  security  number  is  a                                                                    
     personal  identifier; it's  a  number that's  generally                                                                    
     collected....                                                                                                              
                                                                                                                                
He further  explained that  if a person  uses another  name, like                                                               
their  pet cat's  name, Fluffy,  the  person who  filled out  the                                                               
application knows that, but their heirs  who are the ones who are                                                               
going  to be  collecting  on the  policy may  not  know that.  He                                                               
explained:                                                                                                                      
                                                                                                                                
     We really  need an identifier that  is consistent, that                                                                    
     can be verified and for  someone to refuse to give that                                                                    
     type of  information may  make it  difficult for  us to                                                                    
     identify who  the real deceased is  and, therefore, who                                                                    
     the legal beneficiaries are.                                                                                               
                                                                                                                                
He  also  had problems  with  the  notification requirement  that                                                               
would force them  to notify every policyholder in  the state that                                                               
they had  a breach  of security if  someone accidentally  got the                                                               
wrong letter in the mail and sent it back.                                                                                      
                                                                                                                                
2:04:01 PM                                                                                                                    
CHAIR  BUNDE asked  if banks  could still  refuse to  cash checks                                                               
without a person showing his social security number first.                                                                      
                                                                                                                                
MR. GEORGE replied  that he didn't know if cashing  a check could                                                               
be considered  "doing business" and  that's the language  that is                                                               
used.  Selling  a life  insurance  policy  to someone  is  really                                                               
"doing business" with him.                                                                                                      
                                                                                                                                
CHAIR BUNDE  instructed him to  work with the bill's  sponsors on                                                               
resolving his issues.                                                                                                           
                                                                                                                                
2:05:52 PM                                                                                                                    
LISA CORRIGAN,  President, Alaska  Bankers Association,  said she                                                               
is also Executive  Vice President and Chief  Operating Officer of                                                               
Alaska Pacific  Bank. She stated  the Alaska  Bankers Association                                                               
supported  the  intent  of this  legislation  saying,  "Our  very                                                               
integrity  depends   upon  our  ability  to   safeguard  customer                                                               
information, not  just their  money, but  any of  their sensitive                                                               
information."                                                                                                                   
                                                                                                                                
Her  comments pertained  to three  points  of clarification.  The                                                               
first issue  was language in  Section 1 concerning  disclosure of                                                               
breach of  security. It appears to  state that a bank  would have                                                               
to  notify  affected  persons  regardless  of  whether  sensitive                                                               
customer information had actually  been accessed for unauthorized                                                               
purposes and that language goes too far.                                                                                        
                                                                                                                                
She  explained that  banks are  already operating  under numerous                                                               
regulatory  rules  and  guidelines from  the  federal  regulatory                                                               
authorities  governing   all  banks  that  was   developed  as  a                                                               
requirement in the Gramm-Leach-Blighly Act regarding privacy.                                                                   
                                                                                                                                
Banks  are required  to look  at  how likely  it is  that such  a                                                               
breach  would occur  and how  vulnerable their  data would  be in                                                               
that event and  they have to come up with  a program of response.                                                               
Regulation language says:                                                                                                       
                                                                                                                                
     If  the bank  determines through  this risk  assessment                                                                    
     process  in their  analysis of  the breach  itself that                                                                    
     such misuse  has occurred or it  is reasonably possible                                                                    
     that misuse  will occur, then notification  of affected                                                                    
     customers is required as soon as possible.                                                                                 
                                                                                                                                
Secondly,   she   recommended    different   language   regarding                                                               
notification  to   law  enforcement,   again  from   the  banking                                                               
interagency   guidance.  Instead   of  stating   that  just   the                                                               
Department of  Law needs to  be consulted to  see if there  is an                                                               
on-going investigation, the association  wanted to make sure that                                                               
all appropriate law enforcement agencies would be referenced.                                                                   
                                                                                                                                
Thirdly,  the protection  of social  security number  language on                                                               
page 15 talks about having a  waiver for a refusal to do business                                                               
with an individual  if a business is required to  submit a social                                                               
security number to  the federal government. She  pointed out that                                                               
there are  cases in which a  bank is required to  obtain a social                                                               
security number, as under the  Patriot Act, so that an individual                                                               
who wants to  open an account can be  definitively identified. If                                                               
that person is  not a primary signer on the  account, that social                                                               
security number will  probably not be reported to the  IRS and is                                                               
held  in the  bank's  records  as a  form  of identification.  To                                                               
resolve  this, she  asked the  committee to  delete "submit"  and                                                               
insert "obtain" on line 30.                                                                                                     
                                                                                                                                
CHAIR BUNDE asked  if she thought this  legislation prevented her                                                               
from requiring  a social  security number from  a person  who was                                                               
cashing a check at her bank.                                                                                                    
                                                                                                                                
MS. CORRIGAN  replied that she  didn't see  that as a  problem as                                                               
long  as the  bank  is allowed  to obtain  it  without having  to                                                               
submit it to the federal government.                                                                                            
                                                                                                                                
2:13:58 PM                                                                                                                    
RON JORDAN,  Anchorage, said  he was  testifying for  himself and                                                               
his  deceased  brother-in-law's  behalf, having  dealt  with  his                                                               
identity  theft.  His  brother-in-law  had a  housemate  who  was                                                               
renting from him  who stole his identification.  While Mr. Jordan                                                               
supported  SB 222,  he  didn't  think the  penalties  in it  were                                                               
strong enough.  Mandatory jail time and/or  restitution should be                                                               
involved.                                                                                                                       
                                                                                                                                
2:16:13 PM                                                                                                                    
ED SNIFFEN,  Assistant Attorney General,  said he  specializes in                                                               
consumer law  and supported the  overall intent of  the sponsors,                                                               
but he  had some  concerns about  the way SB  222 would  impact a                                                               
variety of  state agencies that  collect personal  information as                                                               
defined in this bill. He was  working to amend some provisions to                                                               
provide the  protections for  state agencies  that are  trying to                                                               
conduct state business without fear  of having to absorb enormous                                                               
expenses  to  notify  state residents  for  some  incidental  and                                                               
perhaps unintentional exchange of information.                                                                                  
                                                                                                                                
On Senator Seekins'  question about applicability of  this law if                                                               
one was to  cross state lines and if an  Alaskan resident calls a                                                               
credit  bureau in  Minneapolis to  put  a freeze  on this  credit                                                               
report,  he stated  that that  credit reporting  agency would  be                                                               
required to honor that freeze regardless of who called.                                                                         
                                                                                                                                
2:18:40 PM                                                                                                                    
CHAIR BUNDE  asked if the person  who wishes that service  has to                                                               
identify  himself as  an Alaskan  resident  to access  protection                                                               
under Alaska law.                                                                                                               
                                                                                                                                
MR.  SNIFFEN  replied yes,  the  bill  requires the  resident  to                                                               
provide sufficient identification to the  bureau. It has to honor                                                               
his request  if it wants  to continue  to do business  in Alaska.                                                               
Half the states have the same requirement.                                                                                      
                                                                                                                                
CHAIR BUNDE thanked  people for their comments and  said the bill                                                               
would be held for further work.                                                                                                 

Document Name Date/Time Subjects