Legislature(2007 - 2008)HOUSE FINANCE 519
01/23/2008 01:30 PM House FINANCE
| Audio | Topic |
|---|---|
| Start | |
| HB65 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| + | HB 65 | TELECONFERENCED | |
HOUSE FINANCE COMMITTEE
January 23, 2008
1:39 p.m.
CALL TO ORDER
Co-Chair Meyer called the House Finance Committee meeting to
order at 1:39:31 PM.
MEMBERS PRESENT
Representative Mike Chenault, Co-Chair
Representative Kevin Meyer, Co-Chair
Representative Bill Stoltze, Vice-Chair
Representative Harry Crawford
Representative Les Gara
Representative Mike Hawker
Representative Reggie Joule
Representative Mike Kelly
Representative Mary Nelson
Representative Bill Thomas Jr.
MEMBERS ABSENT
Representative Richard Foster
ALSO PRESENT
Representative John Coghill; Kevin Brooks, Deputy
Commissioner, Department of Administration; Clyde (Ed)
Sniffen Jr., Senior Assistant Attorney General, Department
of Law; Marie Darlin, Alaska Association of Retired People;
Jon Burton, VIP Government Relations, Choice Point; Audrey
Robinson, Manager, State and Government Affairs, Reed
Elsevier/LexisNexis; Jennifer Flynn, Director, Government
Affairs, Consumer Data Industry Association.
PRESENT VIA TELECONFERENCE
Gail Hillebrand, Senior Attorney, Consumers Union; Steve
Cleary, Executive Director, Alaska Public Interest Research
Group (AkPIRG); Lori Davey, Motznik Information Services;
Richard Crabtree, Attorneys at Law, Anchorage; Mark
Lawrence, Anchorage; Lorie Buckley, Director, North County
Process, Anchorage.
SUMMARY
HB 65 "An Act relating to breaches of security involving
personal information, credit report and credit
score security freezes, consumer credit
monitoring, credit accuracy, protection of social
security numbers, care of records, disposal of
records, identity theft, furnishing consumer
credit header information, credit cards, and debit
cards, and to the jurisdiction of the office of
administrative hearings; amending Rule 60, Alaska
Rules of Civil Procedure; and providing for an
effective date."
HB 65 was HEARD and HELD in committee for further
consideration.
HOUSE BILL NO. 65
"An Act relating to breaches of security involving
personal information, credit report and credit score
security freezes, consumer credit monitoring, credit
accuracy, protection of social security numbers, care
of records, disposal of records, identity theft,
furnishing consumer credit header information, credit
cards, and debit cards, and to the jurisdiction of the
office of administrative hearings; amending Rule 60,
Alaska Rules of Civil Procedure; and providing for an
effective date."
1:40:34 PM
REPRESENTATIVE COGHILL, testified in support of HB 65, which
he referred to as the "Alaska Personal Information
Protection Act." He maintained that HB 65 would help the
State manage personal information with accountability.
Representative Coghill explained that federal laws regulate
different industries in different ways relating to privacy
protection, which complicates the process. The issue is
how to devise a law that protects consumers and their
identity information while allowing business industries to
use that information properly. When the information is not
used properly, the question is how to hold businesses
accountable and how to notify consumers when their identity
has been compromised.
Representative Coghill highlighted the section of the bill
addressing Permanent Fund reporting and access to
information connected to the Permanent Fund. He briefly
described each of the seven articles making up the main body
of the bill.
1:44:47 PM
Article 1: Breach of Security of Personal Information -
requires disclosure of breaches of security
involving personal information.
Article 2: Credit Report and Credit Score Security
Freeze - allows consumers to freeze and
unfreeze access to their credit information
at their discretion.
Article 3: Protection of Social Security Number -
restricts sale and distribution, puts it in a
more restrictive environment than the law
sets up currently.
Article 4: Disposal of Records - requires complete
destruction of electronic and paper records
that contain personal information.
Article 5: Right to File Police Report Regarding
Identity Theft - allows a person that falls
victim to identify theft the right to a
police report to make a factual
declaration of innocence.
Article 6: Truncation of Card Information - sets up
guidelines for use of card numbers on
receipts.
Article 7: General Provisions - provides definitions for
terms within the chapter, and cites the short
title of this bill as the Alaska Personal
Information Protection Act.
1:48:24 PM
Representative Joule asked about identifying a social
security number (SSN) using the last four numbers. Since
Alaskans born in Alaska all have the same first three
numbers, if the last four numbers are known, only the middle
two numbers have to be found. Representative Coghill thought
when the SSN was out for public view the last four numbers
should be truncated. Representative Hawker said the bill
only pertains to truncation of credit card numbers, not the
SSN.
1:51:55 PM
Representative Gara was identified as a co-sponsor of House
Bill 65. He confirmed that the bill forbids the selling and
trading of any part of an SSN. The four-number truncation
issue applies to a growing problem with using credit cards.
Not all copies have to be truncated according to federal
law. House Bill 65 requires the merchant copy to be
truncated as well as the customer's copy.
1:53:38 PM
Representative Hawker noted the issue is complex and
wondered whether some sections of the bill are less
controversial than others. Representative Coghill thought
the least contentious one would be the disposal of records,
but still thought amendments would be proposed for every
section. He anticipated response in relation to the credit
score freeze, dealing with both costs and process; also with
buying, selling or trading SSNs. He thought the general
provisions and definitions sections in each area might raise
issues; for example the difference between a credit
reporting agency and a consumer credit reporting agency. He
thought there would be more agreement about breach of
security issues.
1:57:13 PM
Co-Chair Meyer asked if other states were referenced.
Representative Coghill said 32 other states have similar
laws. Alaska will benefit from that experience. House Bill
65 has the right template and some good policy, but there
will be some policy decisions. Representative Gara added
that all or most of the sections are on subjects that other
states have regulated.
1:59:54 PM
Representative Coghill pointed out that when Alaska began
the debate, not many states had passed laws. On some issues,
such as SSN, Alaska is ahead.
Representative Nelson noted that there was only one letter
of opposition in the backup materials provided and that was
to technical points (letter from AOL, Google, etc.).
Representative Coghill reiterated that the bill was in
everyone's best interests.
2:01:33 PM
Representative Nelson voiced concerns about the way the bill
was amended in Judiciary to allow access to Permanent Fund
records by businesses.
Vice-Chair Stoltze stressed the difficulty victims of
identity theft experience.
2:04:32 PM
Representative Coghill expressed his determination to
advocate for individual Alaskans and also his sympathy
towards businesses that need to move information while
trying to navigate both state and federal laws.
2:06:04 PM
Co-Chair Meyer wondered if municipalities have addressed the
issues.
2:07:15 PM
KEVIN BROOKS, DEPUTY COMMISSIONER, DEPARTMENT OF
ADMINISTRATION provided information on the legislation. The
State's approach to the bill has been twofold: first, how
the State, as the keeper of numerous records, would be
affected by penalties contemplated by the bill; and second,
how the State would manage the considerable amount of data
necessary to the business of government, from retirement and
Permanent Fund data, to business and payroll records.
2:09:15 PM
CLYDE (ED) SNIFFEN JR., SENIOR ASSISTANT ATTORNEY GENERAL,
DEPARTMENT OF LAW, CONSUMER AFFAIRS described one of his
job responsibilities as enforcement of Alaska's Consumer
Protection Act, including education about identity theft.
The State's concern with the bill includes provisions that
expose the State to liability for individual lawsuits that
seek to recover both economic and noneconomic damages. Under
current state law, noneconomic damages are capped at
$400,000 per individual. Mr. Sniffen described a
hypothetical scenario in which 500,000 SSNs get released,
resulting in several tens of billions of dollars in
potential liability. The State has been working with the
bill's sponsors to limit damages to economic losses. He
acknowledged that people should be compensated for actual
losses, but emphasized that non-economic loses can create
significant problems for the state of Alaska in terms of
exposure.
2:11:46 PM
Mr. Sniffen also addressed the issue of the Permanent Fund
Dividend (PFD) exception added to the bill in Judiciary.
That section creates a broad exception to the disclosure of
PFD applicant information. As written now, anyone with a
business license who goes to the PFD office and is able to
show a driver's license (which is easy to obtain) and says
they are the person on the license can ask for and obtain
information. There is no review of that request. The current
language of the bill allows access to the information,
including SSN and banking information, to nearly anyone who
wants it.
2:13:01 PM
Vice-Chair Stoltze appreciated Mr. Sniffen's testimony on
the issue of the State's exposure, but thought a penalty
provision for bad action might be an important motivator.
Mr. Sniffen said the State operates differently than private
industry. A business might be motivated to take action in
response to a bill like House Bill 65. They can insure
against the loss and build in procedures to protect against
it. The State doesn't have those options but is required by
law to collect, use and disclose information, including
personal information. Certainly the State needs to be
motivated to take the precautions the bill requires.
Motivation is built into the bill in the form of civil
penalties, for example. However, the bill exposes the State
to subjective damages that would not further the goals of
the legislation. Mr. Sniffen did not think these penalties
would motivate agency personnel to act differently than if
the provisions were not there.
2:15:47 PM
Representative Hawker agreed that the economic loss limit
made sense and thought the committee would agree. He
disagreed with Mr. Sniffen's analysis regarding access to
PFD information. He asked whether there was any substantive
difference between making the name, mailing address and
birth year of an applicant publicly available, and the
information on the voter registration list, which is
publicly available, by law, without stricture.
Mr. Sniffen did not know about voter registration access.
Typically information that could be found in a phone book is
not considered harmful. This bill requires that for
information to be considered personal it has to have
features such as person's last name and first initial plus
another identifier such as PIN number or SSN.
2:17:18 PM
Representative Hawker thought there was far more information
available in the voter record. He spoke to Mr. Sniffen's
testimony regarding the availability of PFD information such
as SSN and banking information. The language in the bill
(page 3, line 16 of CS (JUD)) would limit disclosable
information to name, mailing address and birth year of the
PFD applicant. He asked if that would change Mr. Sniffen's
testimony. Mr. Sniffen said it would, although the birth
year was still troublesome.
2:20:02 PM
Representative Gara said it was hard to speak for those who
passed the law that prevented information from being made
available in the past. He thought it was spurred by a
stalker finding a home address and finding a person. He
could not recall the specific case, but it did not end well.
The PFD data base is the most comprehensive and updated data
base of personal information the State has. Voter
registration information tends to be more dated.
Representative Nelson agreed with Mr. Sniffen's two points
regarding exposing the State to liability and the PFD
information. Having the information available leaves the
State liable for serious non-economic damages. She didn't
think having a home versus mailing address would make a
significant difference because of how easy it is to find out
where someone lives in small communities. She did not think
people who are victims of stalking or domestic violence
should be precluded from applying for a dividend because
they're afraid of their information getting out.
Representative Nelson was surprised that the legislation was
amended in the House Judiciary Committee. The language
expands the amount of information people can find on a
citizen. She thought the ability for businesses or
candidates to have access to PFD information should not be
within the bill, but should be separate.
Representative Nelson noted that identity theft is often a
group effort. For many, this is a full time job. Some have
been prosecuted using the RICO statute. She wondered if
Alaska was looking at that. Mr. Sniffen advised that the
State is not currently looking at the federal end. Most
identity theft is prosecuted by the State's criminal
division. He clarified that identity thieves do operate in
a variety of ways; some specialize in some areas, some in
others. They sell each other information. It's best to
limit availability to even small pieces of information.
2:26:28 PM
Co-Chair Meyer asked if the municipalities had been
consulted. Mr. Sniffer replied they had not.
Co-Chair Meyer asked about the fiscal note. Mr. Brooks
explained that the fiscal note request was in the amount of
$2 million dollars for encryption. There are also dollars
included in the capital budget to encourage the State to
look at all business practices, especially the disposal of
paper. The department has submitted appropriation requests
to update security since an attack on the State's network in
2005. Securing the State's data will be an on-going
process. There are more and more sophisticated attacks on
the State's databases.
2:29:00 PM
Representative Gara asked if there would be testimony taken
from the Office of Risk Management. He wondered if there
would be many claims for non-economic damages; he thought
Risk Management would say that less than 1 percent of the
cases against the State would have $400,000 in non-economic
damages awarded. Mr. Brooks stated those cases do exist even
though they are a minority and offered to provide the
requested information. The exposure is huge because of the
multitude of data bases. Mr. Sniffen added that even at 1
cent on the dollar, there would be billions of dollars of
liability. Attorneys could make a case that, whether a
person has suffered any monetary harm at all, knowing their
personal information has been compromised creates undo
anxiety. He anticipated emotional distress claims. Economic
damages are not the issue; the non-economic, subjective ones
are of greatest concern.
2:32:01 PM
MARIE DARLIN, COORDINATOR OF CAPITAL CITY TASK FORCE,
ALASKA-ASSOCIATION OF RETIRED PERSONS (AARP), thanked
members for the work done on the legislation. (Letter on
file.) AARP believes that HB 65 will be one of the most
comprehensive anti-theft bills nationwide. Articles 2 and 3
(Credit Report and Credit Score Security; Protection of SSN)
make a good start on the problems. She pointed out that
older identity theft victims have a higher mortality rate
than non-victims of the same age. She anticipated that the
legislation would help address those concerns and urged
passage of the bill.
2:35:31 PM
JON BURTON, VICE PRESIDENT, GOVERNMENT RELATIONS, CHOICE
POINT, represented an information services company working
for businesses and government. He testified that ChoicePoint
does not oppose data breach notification, nor efforts to
limit availability to SSNs. Their issues are related to
compliance and consistency. Since there are no federal laws,
his company has to work with a wide variety of state laws.
ChoicePoint's main concerns about HB 65 relate to SSN
provisions. They would like to limit the availability of
SSNs in the public arena.
2:41:03 PM
Representative Joule referred to a television commercial
about protecting identity and wondered if the issue was
stopping the numbers getting out there, or how the numbers
got used. Mr. Burton said that the question of whether the
SSN is the key to the lock or just one of the tools to open
the lock is an on-going policy debate.
2:43:51 PM
Representative Hawker spoke to the section of the bill that
prohibits the sale, lease, loan, trade or rental of an
individual SSN to a third party. He asked if Mr. Burton had
any concerns that the prohibition might prevent his
corporation from selling a business unit where the data
basis including that information is a significant asset. Mr.
Burton agreed that kind of transaction would be impacted by
the bill.
2:46:11 PM
Representative Gara pointed out that the bill was first
filed right after the 2004 ChoicePoint breach. One of the
provisions of the current bill says that when a company
releases personal information and then finds out about it,
they have to notify the people whose information was
breached. When the ChoicePoint breach occurred, Californians
were notified before Alaskans. He asked Mr. Burton to
explain. Mr. Burton confirmed the company was breached and
said they did notify Californians first because California
was the only state with a law requiring notification.
ChoicePoint did voluntarily conduct a fifty-state
notification. He said the complications of the 2004 breach
and aftermath illustrate the need for consistency across the
states.
2:48:25 PM
AUDREY ROBINSON, MANAGER, STATE AND GOVERNMENT AFFAIRS, REED
ELSEVIER/LEXIS/NEXIS testified that her company does not
oppose House Bill 65. Their issues focus on the security
breach notification provisions of the bill, specifically
related to the definitions section. Most states have similar
legislation with about five items that must be linked in
order to require a security breach notification. House Bill
65 creates more of a risk, alerting possible spammers to
target someone, potentially increasing the number of
notifications that can be given, which tends to make it
difficult for consumers to discern which are important
enough to require action. The bill also doesn't have a risk
of harm standard.
2:51:19 PM
MS. Robinson agreed with the other companies she carried the
letter for (on file) on the point that email notification of
breach would be reasonable. Reed Elsevier is also concerned
with liability. They are supportive of civil actions and
feel class actions are inappropriate means of remedying the
situation.
2:55:01 PM
Representative Hawker clarified the issue of electronic
records vs. paper records and asked Ms. Robinson if a
reading of the bill could be construed to include paper
records with addresses. Ms. Robinson replied that other
state law does not include address and phone number in the
personal information definition. She felt the provision
would make the definition overly broad; a mis-delivered
piece of mail could be a breach and require notification.
2:56:51 PM
Representative Gara turned to page 7 of the bill and pointed
out that the definition of personal information refers to
more than an individual's name and address. It must be a
combination of name, address or telephone number and one or
more other elements such as SSN, driver's license number or
account numbers. Those are the things not allowed to be
released to the public. Ms. Robinson replied that a piece of
mail such as an opened bank statement that was mis-delivered
would be considered a breach. Representative Gara disagreed.
2:58:29 PM
JENNIFER FLYNN, DIRECTOR, GOVERNMENT AFFAIRS, CONSUMER DATA
INDUSTRY ASSOCIATION identified her company as representing
the bulk of credit reporting agencies across the country.
She focused on the freeze provisions in the bill.
3:00:01 PM
Representative Gara revisited his previous point and
stressed that information collectors are required to notify
a person if an individual's personal information has been
breached. One individual does not have to notify another if
they receive their mail by accident.
3:00:20 PM
Ms. Flynn continued with her testimony, stating that her
company did not oppose the bill and the intent behind it,
but that they are concerned about consistency. At this time
they have to consider the laws of 39 different states, plus
Washington, D.C., regarding security freeze. Their goal is
to help create as much consistency as possible, so they can
continue to do business. They intend to work closely with
Representatives Gara and Coghill regarding specific
technical changes.
Ms. Flynn identified California as the state with the
longest experience with this kind of law. Most other states
tend to mirror California's language. She compared HB 65 to
California law, which has been in existence for six years.
She observed that HB 65 calls for immediate lifts and
removals. She referred to the provision for notification of
erroneous release and observed that entities are generally
given five days for notification after discovery. "After
discover" would need to be added. There is concern regarding
the placement of the reseller provisions. She favored a fee
structure similar to California's: $10 to lift, place or
remove. She acknowledged that other states have provided
other fee structures. She stressed that her organization
supports many aspects of the legislation (SSN, breach,
freeze and security provisions) and felt the suggested
changes would help get the support of consumer reporting
agencies, while providing protection for Alaska.
3:05:21 PM
Representative Hawker commented on credit freeze and the
strong concerns indicated by the public especially regarding
credit agencies. He asked if a standard had been
established. Ms. Flynn stated that the freeze is a voluntary
program and that there is model legislation established in
how to freeze. Representative Hawker thought having the
sponsors reconcile that standard with the proposal before
the Legislature would be a good basis from which to move
forward.
3:08:41 PM
Representative Gara commented that even if Alaska did
conform to the standard there would still be differences
between states. Ms. Flynn replied that there is much
conformity with the standard. She listed some of the
standard provisions of the model legislation.
Representative Gara asked about fees. Ms. Flynn explained
that it costs $30 dollars to place the freeze. It costs $30
to lift the freeze for any period of time. The service is
free if the person is a victim of identity theft.
Representative Gara asked how many states charge less than
$10 each. Ms. Flynn responded that the range on average is
between $0 and $12, so a standard would be $5-$10.
3:13:04 PM
Representative Crawford inquired who she had discussed the
model legislation with in Alaska. Ms. Flynn responded that
their lobbyist, Kim Hutchinson, had spoken to a number of
legislators over time.
3:14:59 PM
GAIL HILLEBRAND, (TESTIFIED VIA TELECONFERENCE), SENIOR
ATTORNEY, WEST COAST OFFICE OF CONSUMERS' UNION, identified
herself as one of the drafters of the Consumers Union model
law on security freeze, notice of breach and other identity
theft protections. They built the model on California's law
and added improvements as other states made them.
Ms. Hillebrand described some of the basic ideas of the
model. The first is prevention. The security freeze gives
consumers an opportunity to stop opening new accounts in
their name, such as cell phone accounts. Sixteen percent of
Alaska's identify theft complaints were about false utility
accounts. She stressed the lack of consistency among the
existing state laws and recommended consistency with the
stronger states. California, Illinois, New York and Texas
have a strong no-loophole approach. The customer gets the
notice of breach if certain combinations of things occur;
then they can decide whether to take action. Consumers Union
is concerned about consumers not being given enough notice.
Ms. Hillebrand discussed other states' approaches to SSNs.
She cautioned against broad exemptions that simply refer to
federal statutes, such as the Fair Credit Reporting Act,
because those statutes were crafted for much different
purposes than restricting the collection, use or sale of
SSNs.
3:23:21 PM
STEVE CLEARY, (TESTIFIED VIA TELECONFERENCE), EXECUTIVE
DIRECTOR, ALASKA PUBLIC INTEREST RESEARCH GROUP (AKPIRG)
said his organization has been advocating for consumers in
Alaska since 1974 and supports House Bill 65. Alaska topped
the nation in fraud complaints in 2005, including identity
theft. Consumers can spend over 175 hours and $1000 to
remedy the effects of identity theft. The Alaska Public
Interest Research Group is most excited about the security
freeze and mandatory notification because those tools help
consumers protect themselves from identity theft.
3:27:32 PM
LORI DAVEY, (TESTIFIED VIA TELECONFERENCE), MOTZNIK
INFORMATION SERVICES testified in favor of House Bill 65.
She supported the bill's definition of what constitutes
"personal information" and legal recourse for its misuse.
She supported re-authorizating the use of PFD names, mailing
addresses and year of birth for legitimate business purposes
and described the effects of the loss of access to PFD
mailing addresses in 2005. She maintained that the only
people the present law protects are criminals who do not
want to be found. She commented on a recent case involving
the Pilgrim family and how they used PFD funds. She thought
victims of identity theft or mistaken identity have little
resource to differentiate themselves from criminals or other
individuals with the same name. (Statement on file.)
3:31:17 PM
Representative Nelson wondered how to recognize legitimate
businesses. A fishing permit, for example, is counted as a
business license. That could be used to get information. Ms.
Davey responded that in addition to having the license the
person would have to have a legitimate reason for the
request for information.
Representative Nelson described Alaska as the only
government wealthy enough to distribute money (the PFD) and
so collect information on this scale and asked what other
states or nations do when businesses are trying to obtain
that kind of information. Ms. Davey said they use other
kinds of national data bases, such as Lexis/Nexis and
ChoicePoint.
3:34:05 PM
Vice-Chair Stoltze hoped the public testimony will stay
open. Co-Chair Meyer turned the chair over to Co-Chair
Chenault.
3:35:26 PM
RICHARD CRABTREE, (TESTIFIED VIA TELECONFERENCE) ATTORNEY AT
LAW, ANCHORAGE voiced concerns about keeping PFD information
accessible for legitimate purposes. He cited the example of
the need to track down the heirs to an estate and other
instances when people need due process. He observed that PFD
information can be critical in these instances, especially
when there are people in an area with the same names. He
also supported limiting damages in breach of security cases
to actual damages.
3:38:44 PM
MARK LAWRENCE, (TESTIFYIED VIA TELECONFERENCE), ANCHORAGE
works for one of the largest credit card processors in
Alaska. He is part of a merchant advocacy program call the
Merchant Bill of Rights that educates merchants on the
importance of encryption and the transition and storage of
credit card numbers. He addressed the issue of truncation,
pointing out that it is not difficult to truncate the
numbers on both receipts.
3:41:13 PM
LORIE BUCKLEY, (TESTIFIED VIA TELECONFERENCE), DIRECTOR,
NORTH COUNTRY PROCESS, ANCHORAGE agreed with much in the
previous testimonies. She added that data such as addresses,
alias names and SSNs are required to assist individuals who
have been awarded a judgment or are seeking a judgment. The
State gives individuals the right to sue, but in order to
win they must know the name, SSN and/or date of birth. An
address is required at the beginning of the process to serve
an original complaint. Statistically, 25% of people who make
complaints are not located and PFD data is valuable in
locating individuals to serve them legal process. She would
like the Committee to look at provisions allowing Alaska
businesses access to Permanent Fund data.
3:47:52 PM
Co-Chair Chenault stated he would not close public testimony
as there may be others who will want to testify at a later
time.
Vice-Chair Stoltze commented on testimony regarding the
Pilgrim family, stating that while there was abuse of the
system there is no evidence indicating a pattern.
3:49:31 PM
Representative Coghill closed his testimony by stating his
intention to take suggestions and work on draft amendments.
He planned to separate issues related to language from those
that would require policy calls. He hoped to get the bill to
conform to the best standards available to facilitate its
movement through the Legislative process by the end of the
session.
HB 65 was heard and HELD in Committee for further
consideration.
ADJOURNMENT
The meeting was adjourned at 3:51 PM
| Document Name | Date/Time | Subjects |
|---|