HB 226 - PERSONAL INFORMATION BREACH [Contains brief mention that language of proposed amendments to HB 226 was derived from SB 222.] 1:43:04 PM CHAIR McGUIRE announced that the next order of business would be HOUSE BILL NO. 226, "An Act relating to breaches of security involving personal information; and relating to credit report security freezes." [Before the committee was CSHB 226(L&C).] REPRESENTATIVE GARA, speaking as the sponsor, relayed that HB 226 is intended to address situations involving security breaches at financial companies that trade, hold, and supply individuals' personal and financial information. At the time the bill was started, only 3 or 4 states were responding to this issue, but more have responded since then. The bill is in response to a situation that occurred over a year ago, when a company called ChoicePoint, Inc. ("ChoicePoint"), experienced a security breach that affected about 145,000 clients. Because California law mandated that clients be notified of such security breaches, ChoicePoint notified its clients located in California, but didn't notify any of its clients located elsewhere. REPRESENTATIVE GARA explained that HB 226 is modeled in part on two provisions of that California law: one, when a company releases a person's financial information accidentally because of theft, that company must notify the person of that security breach; two, when a person has an indication that his/her information is no longer secure, the person will have the right to call the three consumer financial information clearinghouses and have them put a freeze on releasing his/her credit information to a third party. 1:47:40 PM JOHN L. GEORGE, Lobbyist for American Council of Life Insurers (ACLI), relayed that the ACLI has been working with the sponsor on this bill and the sponsor has been very accommodating, and characterized CSHB 226(L&C) as a better version than the original bill. He indicated that he has two issues to discuss and both pertain to language in proposed AS 45.48.390 located on pages 11-12. Proposed subparagraph (A) indicates that "personal information" consists of a combination of an individual's first name or first initial, the individual's last name, and one or more of the following: the individual's social security number; the number of the individual's driver's license or state identification card; the individual's account number, or credit card or debit card account number; or account passwords, personal identification numbers, or other access codes. However, he pointed out, proposed subparagraph (B) states that "personal information" could consist of one of the aforementioned elements if it would be sufficient to engage in or attempt to engage in the theft of the individual's identity. MR. GEORGE opined that as written, this definition is ambiguous; "personal information" should consist of one or the other, either what's specified in subparagraph (A) or what's specified in subparagraph (B). For example, under subparagraph (B), a social security number would be sufficient, whereas under subparagraph (A), both the individual's name and social security number would be required. He suggested that the removal of subparagraph (B) would improve the bill substantially. He then referred to the language on page 11, line 23 - which says in part, "the information elements are not encrypted" - and said he is unable to find a definition of encryption. He suggested, therefore, that the words, "or secured by another means rendering the information unreadable" be added; such a change would cover both current and future technology without harming the intent of the bill. MR. GEORGE, in response to a question, clarified that his suggested change would be to replace - on page 11, lines 23-24 - the words, "or redacted" with the words: ", redacted, or secured by another means rendering the information unreadable". REPRESENTATIVE GARA offered his belief that neither suggested change is needed. The term "encrypted" is used in California, he relayed, and opined that a definition of that term is unneeded. He indicated that simply saying something is unreadable is vague, whereas if an encrypted item is released it won't constitute a security breach. He elaborated: We want to say that it's a security breach when certain personal information is released - part of it has to be the person's name; we don't really want to regulate it if the person's name is not associated with the security breach - that's just not really a big security concern. ... That's why, ... [in subparagraph (A)], it's two pieces of information that have been released - your name and then some identifying information [such as] your bank account [number or] your social security number - that's a big concern. The catchall in [subparagraph] (B) says, however, [that] there might be some circumstances where even just the release of one piece of this information is a danger. And you can imagine where just releasing somebody's credit card number or bank account number by itself could be a danger to the consumer. So that's why ... California put this ... [language in its law] as well. So I don't know why you would not want to protect a consumer if a piece of information, standing by itself, would be sufficient to allow somebody to engage in or attempt to engage in the theft of the individual's identity; if it's a piece of information that endangers the consumer, I think that, standing alone, is a breach. And, really, again, all [the company has] ... to do is tell the consumer. REPRESENTATIVE GARA, in response to a question, opined that it won't be burdensome for a company to determine whether there has been a breach. A company should notify an individual if his/her account number, credit card number, access code, or password has been released. He pointed out that the bill only applies if the company knows the information has been breached, and then the only requirement is that the company notify the consumer. He added: "I don't think any company's going to have to sort of sit there and pull there hair out and go, 'Shoot, we released somebody's social security number, should we tell them?' I think the answer is yes - it's a courtesy." 1:55:36 PM LISA J. CORRIGAN, Executive Vice President & Chief Operating Officer, Alaska Pacific Bank; President, Alaska Bankers Association, relayed that Alaskan bankers share the concerns of the sponsor and other members of the committee, and are dedicated to protecting the privacy and security of sensitive customer information. In fact, she added, the reputation and the safety and soundness of the banking industry depends on a foundation of security and integrity, and the banking industry knows it has a fiduciary responsibility to its customers, not only to protect their money, but to also protect their sensitive personal information. She assured the committee that the banking industry takes security breaches and all other related issues very seriously. MS. CORRIGAN relayed that her comments will pertain to two provisions located on pages 1 and 2, adding that [her organizations] think that the remainder of the bill is great. She offered her belief that the concerns [she is about to express] will be adequately addressed via a forthcoming proposed amendment. 1:57:22 PM MS. CORRIGAN remarked that [subsection (a) of proposed 45.48.010] appears to appropriately require disclosure of a breach of security if sensitive, personal information is reasonably believed to have been acquired by an unauthorized person. However, that language doesn't go further to stipulate that the information has been accessed for unauthorized purposes. This [lack] is a bit of a difference from the banking "guidance" that banks already operate under. Since banks are already operating under a complicated web of federal and state regulations, whenever possible [banks] would like to see legislation that's consistent with [the rules] they must already comply with. MS. CORRIGAN referred to the Gramm-Leach-Bliley Act (GLBA), which required banking regulators to issue guidance, and to continue issuing guidance, to banks. That guidance requires banks to create information security systems; complete a comprehensive risk assessment relating directly to the subject of HB 226 - the likelihood of, and vulnerability to, unauthorized access to sensitive customer information; and to subsequently develop and implement a response program - basically disaster response in an electronic format - that would be used any time the bank felt there was reason to believe that there could be harm to a customer or a customer base. MS. CORRIGAN explained that the aforementioned response program requires banks to begin an immediate investigation if they believe that a security breach may have occurred, and then they are required to determine the likelihood that the sensitive information has or will be misused. A concern, she relayed is that it is possible that an unauthorized individual could inadvertently come into contact with or come into possession of sensitive information without meaning any harm, and [her organizations believe] that it is not the sponsor's intent to have the bill apply in such situations and so want to ensure that language in the bill recognizes that, because if a bank believes that it is reasonably possible that misuse will occur, then the bank is already required to go through the aforementioned notification process and notify customers, banking regulators, federal authorities, et cetera. MS. CORRIGAN said that the Alaska Banking Association supports a forthcoming proposed amendment because it believes that the amendment will clarify that the information would have to have been accessed for a purpose not authorized by the state resident; this adds the piece that the Alaska Banking Association felt was missing - that it is an unauthorized person who has unauthorized access to sensitive information and is using it for unauthorized purposes or there is reason to believe that he/she could. 2:00:51 PM MS. CORRIGAN then drew members' attention to page 2, lines 7-10 - proposed AS 45.48.020 - which provides that a business may delay disclosing a security breach to customers if the Department of Law (DOL) has an ongoing investigation that could be compromised by that disclosure. The Alaska Banking Association is asking that that exception be broadened to include all appropriate law enforcement agencies; banks are already required to have a lot of contact with federal authorities in situations involving suspected or ongoing criminal activity. She offered her understanding that the forthcoming proposed amendment will address this concern as well. She concluded by saying that with the inclusion of her aforementioned proposed changes, [her organizations] think that HB 226 is good legislation and hope it passes. CHAIR McGUIRE, after ascertaining that no one else wished to testify, closed public testimony on HB 226. REPRESENTATIVE GRUENBERG referred to the language on page 12, lines 3-5, and relayed that his staff is researching whether that language is identical to the language in California law. He said he supports the bill, but added that that language currently seems to read that the crime is a crime if it's a crime; in other words, it's an identifier if it's sufficient to cause a crime, which is a circular argument. 2:02:59 PM REPRESENTATIVE GARA made a motion to adopt Amendment 1, which read [original punctuation provided]: Page 5, line 2 following "A" Delete "consumer" Insert "credit" Page 11, line 16 Delete "or conflicts with" REPRESENTATIVE COGHILL objected for the purpose of discussion. REPRESENTATIVE GARA explained that the first part of Amendment 1 corrects a typographical error and the second part provides a cleaner way of dealing with a federal preemption. REPRESENTATIVE COGHILL removed his objection. REPRESENTATIVE GRUENBERG said he supports Amendment 1. He remarked, though, that proposed AS 45.48.300 - which is being altered by the second portion of Amendment 1 - is not even necessary because it is always the law that federal law preempts state law. REPRESENTATIVE GARA said he would be receptive to taking [proposed AS 45.48.300] out of the bill on the House floor if Representative Gruenberg can show that there is already a general preemption provision. REPRESENTATIVE GRUENBERG said there isn't one now, and is pondering whether the committee would consider adding a general preemption provision to Title 1. REPRESENTATIVE COGHILL said he'd prefer to consider that question separately from their debate on HB 226. 2:06:37 PM CHAIR McGUIRE noted that the issue of severability has been debated, and that sometimes a specific clause pertaining to severability is put in legislation and sometimes severability is viewed as a given. She concurred that the general rule is that if there is a federal law on a particular subject, it would preempt state law, but pointed out that this issue can be more complicated when it pertains to certain areas of the law. REPRESENTATIVE COGHILL said he would not want to concede anything [to the federal government] that he did not have to. CHAIR McGUIRE said she thinks it's appropriate to keep [proposed AS 45.48.300] in the bill. CHAIR McGUIRE asked whether there were any further objections to Amendment 1. There being none, Amendment 1 was adopted. 2:07:51 PM REPRESENTATIVE GARA made a motion to adopt [Conceptual] Amendment 2, which read [original punctuation provided]: Page 1, line 12 following "person," Insert "for a purpose not authorized by the state resident" Delete "due to the breach" Page 2 lines 7 following "Enforcement." Delete all material through page 2, line 10. Insert "Notice of the breach may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the business or governmental entity with a written request for the delay. However, the business or governmental entity shall notify the state resident as soon as notification will no longer interfere with the investigation." REPRESENTATIVE COGHILL objected for the purpose of discussion. REPRESENTATIVE GARA indicated that the first part of [Conceptual] Amendment 2 addresses Ms. Corrigan's first stated concern, and the second part of [Conceptual] Amendment 2 addresses her second stated concern. With the adoption of [Conceptual] Amendment 2, if there is a breach but it's a harmless breach, then the bill won't apply, and a delay in notifying the customer of a security breach will temporarily be allowed if the company is told, in writing, by any appropriate law enforcement agency that such notification will interfere with a criminal investigation, though once law enforcement is no longer concerned about notification, then the customer must be notified. 2:09:59 PM CHAIR McGUIRE said she would not want the first part of [Conceptual] Amendment 2 to be used as an excuse [to not provide notification]. She offered her recollection that in the ChoicePoint case, the company offered the defense that although it knew about the security breach, it didn't think that it was going to cause any harm. She said she wants it to be very clear that companies have a duty to investigate the reasonableness of whether the breach would cause harm, and that it isn't an automatic defense for the company to simply say it didn't think it would. REPRESENTATIVE GRUENBERG referred to the last sentence of [Conceptual] Amendment 2 and suggested that it be changed to say that the law enforcement agency must notify the company [or governmental entity] in writing that the customer notification process will no longer interfere with the criminal investigation and thus may begin. In response to a comment, he clarified that he would like the law enforcement agency to also have a duty to notify. REPRESENTATIVE GRUENBERG made a motion to conceptually amend [Conceptual] Amendment 2, to rewrite the final sentence such that the investigating law enforcement agency shall notify the business or governmental entity as soon as the investigation is sufficiently complete that the business can notify the consumer. At that point, he added, the [business] must notify the consumer. CHAIR McGUIRE noted however that investigations can take decades. Therefore she would prefer the phrase, "will no longer interfere with the investigation". REPRESENTATIVE GRUENBERG indicated that he is amenable to such a change to the conceptual amendment to [Conceptual] Amendment 2, to have it say, "the investigating law enforcement agency shall notify the business or governmental entity as soon as notification will no longer interfere with the investigation and at that point the business or governmental [entity] must notify the consumer". There being no objection, [Conceptual] Amendment 2 was amended. CHAIR McGUIRE asked whether there were any further objections to [Conceptual] Amendment 2, as amended. There being none, [Conceptual] Amendment 2, as amended, was adopted. 2:16:08 PM REPRESENTATIVE GARA made a motion to adopt [Conceptual] Amendment 3, which read [original punctuation provided]: Page 6, line 15 following "than" Insert a new subsection to read: " (1) $3 for the first time that the consumer places a security freeze in a five year period under AS 45.48.100" Page 6, line 16 following "each" Insert "subsequent" Page 6, line 16 Delete (1) Insert (2) Page 6, line 19 Delete (2) Insert (3) Page 12 following line 5 Insert a new bill section to read: "CONTINGENT EFFECT OF AS 45.48.160(a)(1) . If a court of competent jurisdiction whose decisions are binding in this state enters a final judgment that the charges rendered in AS 45.48.160(a)(1) are unconstitutional, then the charges shall be as stated in AS 45.48.160(a)(2), (a)(3) and AS 45.48.160(b)." REPRESENTATIVE COGHILL objected for the purpose of discussion. REPRESENTATIVE GARA said that he took care to mirror California's comprehensive approach. However, California allows a credit-reporting agency to charge $10 and $12 to either place or remove a freeze. That amount seems significant, he remarked, and so Conceptual Amendment 3 provides for a $3 charge for a first time request within a five year period, and includes conditional language which says that if a court finds that it is unconstitutional to impose the lower charge then it will default to the $10 and $12 charges. He pointed out that under language currently in the bill, a person may place or remove a security freeze without charge if he/she provides a credit reporting agency with proof that he/she, in good faith, filed a police report stating that his/her [personal information has been breached]. REPRESENTATIVE COGHILL removed his objection. CHAIR McGUIRE asked whether there were any further objections to Conceptual Amendment 3. There being none, Conceptual Amendment 3 was adopted. 2:19:06 PM REPRESENTATIVE GARA made a motion to adopt Conceptual Amendment 4, which, along with a note, read [original punctuation provided]: Page 6, line 14 Insert a new bill section to read: "Sec. 45.48.150. Prohibition. When dealing with a third party, a credit reporting agency may not suggest, state, or imply that a consumer's security freeze reflects a negative credit score, history, report, or rating" Page 7, line 12 Insert a new bill section to read: "Sec. 45.48.190. Notification after violation. If a credit reporting agency violates a security freeze by releasing a consumer's credit report or information derived from the credit report, the credit reporting agency shall notify the consumer within five business days after the release, and the information in the notice must include an identification of the information released and of the third party who received the information." Renumber following bill sections accordingly. [Note: Taken from SB222] CHAIR McGUIRE objected for the purpose of discussion. REPRESENTATIVE GARA relayed that SB 222 addresses many more subjects than HB 226, and Conceptual Amendment 4, which contains language from SB 222, says in the first part that if a third party contacts a credit reporting agency, the agency may not suggest, state, or imply that a freeze on a consumer's information reflects a negative credit score, history, report, or rating. CHAIR McGUIRE removed her objection, and asked whether there were any further objections. There being none, Conceptual Amendment 4 was adopted. REPRESENTATIVE GARA, in response to a question regarding Conceptual Amendment 3, relayed that he doesn't believe that the lower charge of $3 proposed via Conceptual Amendment 3 will violate the [federal] commerce clause but he is including the contingent effect clause just in case the proposed lower charge raises that issue. 2:22:11 PM REPRESENTATIVE GARA made a motion to adopt Conceptual Amendment 5, which, along with a note, read [original punctuation provided]: Page 11, line 14 Insert a new article in the bill to read: "Article 3. Right to File Police Report Regarding  Identity Theft."  Sec. 45.48.300. Right to file police report regarding  identity theft. (a) Even if the local law enforcement agency does not have jurisdiction over the theft of an individual's identity, if an individual who has learned or reasonably suspects the individual has been the victim of identity theft contacts, for the purpose of filing a complaint, a local law enforcement agency that has jurisdiction over the individual's actual place of residence, the local law enforcement agency shall make a report of the matter and provide the individual with a copy of the report. The local law enforcement agency may refer the matter to a law enforcement agency in a different jurisdiction. (b) This section is not intended to interfere with the discretion of a local law enforcement agency to allocate its resources to the investigation of crime. A local law enforcement agency is not required to count a complaint filed under (a) of this section as an open case for purposes that include compiling statistics on its open cases. Sec. 45.48.390. Definitions. In AS 45.48.300 - 45.48.390 (1) "crime" has the meaning given in AS 11.81.900 (2) "identity theft" means the theft of the identity of an individual; (3) "victim" means an individual who is the victim of identity theft. Renumber following bill sections accordingly. [Language taken from SB222] REPRESENTATIVE GARA mentioned that he'd gotten this language from SB 222 as well, and that it addresses a person's ability to file a police report regarding identity theft. REPRESENTATIVE ANDERSON objected, and asked whether this language will engender a fiscal note. REPRESENTATIVE GARA acknowledged that this language might have a minor fiscal impact, and explained that Conceptual Amendment 5 specifies that law enforcement shall allow a person to file a report and thereby obtain a free security freeze; he noted that [under Conceptual Amendment 5] a law enforcement agency will not be required to investigate a situation outlined in the report. REPRESENTATIVE ANDERSON said he will be maintaining his objection because he thinks the proposed requirement to allow people to file the aforementioned reports will be too burdensome on law enforcement agencies. REPRESENTATIVE GARA reiterated that Conceptual Amendment 5 stipulates that law enforcement will not have to take any action on such reports. REPRESENTATIVE ANDERSON argued that law enforcement agencies will still have to fill out the reports. 2:24:56 PM A roll call vote was taken. Representatives McGuire, Coghill, Wilson, Gruenberg, and Gara voted in favor of Conceptual Amendment 5. Representatives Anderson and Kott voted against it. Therefore, Conceptual Amendment 5 was adopted by a vote of 5-2. CHAIR McGUIRE encouraged Representative Gara to have someone from law enforcement available to address this issue when the bill is heard in the House Finance Committee. REPRESENTATIVE GARA agreed to do so, and asked Representative Anderson to contact law enforcement. REPRESENTATIVE ANDERSON indicated that he would. 2:26:05 PM REPRESENTATIVE GARA made a motion to adopt Conceptual Amendment 6, which read [original punctuation provided]: Page 2, line 16 following "(3)" Insert "by substitute notice" Page 2, line 17 following "$250,000," Insert "or" Page 3, line 5-7 Delete "if the employee or agent does not use the personal information for a purpose unrelated to the activities of the business or governmental entity and does not make further unauthorized disclosure of the personal information." Insert "provided that the personal information is not used or subject to further unauthorized disclosure." Page 3, line 12 following "recover the" Insert "actual" CHAIR McGUIRE objected for the purpose of discussion. REPRESENTATIVE GARA referred to the portion of Conceptual Amendment 6 that proposes a change to page 2, line 16. CHAIR McGUIRE said she doesn't know what the term, "substitute notice" means. REPRESENTATIVE COGHILL pointed out that [paragraphs (1)-(3)] direct how a business or government shall make the disclosure. REPRESENTATIVE GRUENBERG asked whether the term, "substitute notices" is defined [in statute], or, if not, who would decide what it means, or is it defined on lines 20-25 of page 2. If the latter is the case, he remarked, then he would suggest dividing Conceptual Amendment 6 into parts and amending it such that it would add to page 2, line 19, the word, "substitute" between the words, "provide notice". REPRESENTATIVE GARA made a motion to amend Conceptual Amendment 6, to delete the change proposed to page 2, line 16. There being no objection, Conceptual Amendment 6 was amended. REPRESENTATIVE GARA referred to the portion of Conceptual Amendment 6, as amended, that proposes a change to page 2, line 17, and characterized this as a technical change. 2:29:29 PM REPRESENTATIVE GARA referred to the portion of Conceptual Amendment 6, as amended, that proposes a change to page 3, lines 5-7, and explained that the new proposed language would track California statute; although both the current language of the bill and the new proposed language seem to say the same thing, as a matter of caution he would prefer to use the language in California law. REPRESENTATIVE GRUENBERG asked that Conceptual Amendment 6, as amended, be divided. CHAIR McGUIRE suggested instead that Representative Gruenberg simply state his concerns. REPRESENTATIVE GRUENBERG, referring to the portion of Conceptual Amendment 6, as amended, that proposes a change to page 3, line 12, offered his belief that "actual damages" might be read to mean special damages only as opposed to general damages, and since an unauthorized disclosure could ruin a person, they should not limit the damage award to actual damages. REPRESENTATIVE GARA said his [initial thought] is that both "damages" and "actual damages" mean "compensatory damages", but he is willing to [delete that proposed change from Conceptual Amendment 6, as amended]. REPRESENTATIVE GRUENBERG said he would be more comfortable if the term, "actual" was not included. REPRESENTATIVE GRUENBERG made a motion to again amend Conceptual Amendment 6, as amended, by deleting the portion that proposes a change to page 3, line 12. There being no objection, the second amendment to Conceptual Amendment 6, as amended, was adopted. CHAIR McGUIRE asked whether there were any further objections to Conceptual Amendment 6, as amended twice. There being none, Conceptual Amendment 6, as amended twice, was adopted. REPRESENTATIVE ANDERSON offered his belief that Mr. George's concern regarding encryption warrants further attention as the bill moves through the process. REPRESENTATIVE GARA agreed. REPRESENTATIVE GRUENBERG, referring to proposed AS 45.48.390, said it seems to him that anything in subparagraph (A) would necessarily be in subparagraph (B). Referring to the actual language in California's law pertaining to this issue, he characterized that language as quite clear and well drafted. He asked Representative Gara whether he would be amenable to replacing the language currently in proposed AS 45.48.390 with the language in California law, which read: For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. REPRESENTATIVE GARA said he thinks that Representative Gruenberg is correct on this issue and that [Mr. George] has a valid concern. 2:35:58 PM REPRESENTATIVE GRUENBERG made a motion to adopt Conceptual Amendment 7, to replace the language currently in proposed AS 45.48.390 with the language in California law except that Alaska terms be used in place of California terms. There being no objection, Conceptual Amendment 7 was adopted. 2:37:01 PM REPRESENTATIVE WILSON, after noting that she'd had her personal information stolen in the past, moved to report CSHB 226(L&C), as amended, out of committee with individual recommendations and the accompanying fiscal notes. There being no objection, CSHB 226(JUD) was reported from the House Judiciary Standing Committee.