9:20:53 AM CS FOR SENATE BILL NO. 222(JUD) "An Act relating to breaches of security involving personal information, credit report security freezes, consumer credit monitoring, credit accuracy, protection of social security numbers, disposal of records, factual declarations of innocence after identity theft, filing police reports regarding identity theft, furnishing consumer credit header information, and truncation of credit and debit card information; and amending Rule 60, Alaska Rules of Civil Procedure." This was the first hearing for this bill in the Senate Finance Committee. SENATOR GENE THERRIAULT, Co-Sponsor of the bill, noted the increase in instances of identity theft in Alaska and the nation. He and Senator Gretchen Guess identified model legislation in other states and each introduced bills for consideration for Alaska. They decided to combine their efforts and co-sponsor one bill. Senator Therriault explained this bill would "put on notice" those who are "in the business" of collecting, utilizing and brokering people's personal information. These businesses would be required to undertake certain protections of the information they control. The bill outlines violations, definitions, and manners in which documents must be maintained and destroyed, to protect information from being stolen for illicit use in the "modern economy". 9:23:22 AM SENATOR GRETCHEN GUESS detailed the bill sections. Section 1 would amend AS 45 by adding a new chapter to read: Chapter 48, Personal Information Protection Act. Senator Guess outlined the articles of the new chapter beginning with Article 1, Breach of Security Involving Personal Information, which provides that the holder of an individual's personal information must alert that individual of any breach of security. The article also defines breach of security. 9:24:13 AM Senator Guess stated that Article 2, Credit Report Security Freeze, allows a person to prohibit a consumer credit reporting agency from releasing information without express written authorization of the consumer. 9:24:29 AM Senator Guess noted Article 3, Consumer Credit Monitoring; Credit Accuracy, grants Alaskans increased assess to their credit reports in a "reasonable fashion" as well as the ability to correct errors. 9:24:54 AM Senator Guess pointed out that Article 4, Protection of Social Security Number, specifies instances in which a person could be required to provide their social security number and how and when that number could be used, sold, etc. 9:25:16 AM Senator Guess informed that Article 5, Disposal of Records, provides how personal information must be handled and disposed. 9:25:32 AM Senator Guess explained Article 6, Factual Declaration of Innocence after Identity Theft; Right to File Police Report Regarding Identity Theft, allows a victim of identity theft to declare their innocence of accumulated debt in a court of law. This article also allows an individual to file a police report in their resident jurisdiction even if the crime was committed elsewhere. Many federal provisions pertaining to identity theft do not go into affect without a police report. 9:26:18 AM Senator Guess continued with Article 7, Consumer Credit Header Information, which relates to the social security number and prohibits the selling of credit header information for the sole purpose of the sale. Such transactions must first be permissible under federal law. 9:26:45 AM Senator Guess stated that Article 8, Truncation of Card Information, provides that printed material only list the last five digits of credit cards and debit cards. 9:27:02 AM Senator Guess noted Article 9, General Provisions, includes many definitions as they apply to this bill. 9:27:10 AM Senator Guess commented on the extensive efforts of the co- sponsors to resolve as many issues as possible for the different stakeholders. Senator Guess told of a policy decision she and Senator Therriault agreed upon to not provide "carve outs", or exemptions, for any specific industry or entity. Rather, issues would be resolved for all parties. It would be unfair to hold different groups to different standards. This decision resulted in fiscal notes from State agencies, as government would be held to the same liability standards. 9:28:30 AM Senator Stedman referenced the language of subparagraph (a) (5) of Section 45.48.400. Use of social security number., in Article 4 on page 16, lines 7 through 18. This subparagraph would prohibit printing of an individual's social security number on material mailed to the individual unless provided by law or is included on an application or necessary for verification. The social security number, if printed, could not be visible without the envelope containing the information being opened. Senator Stedman asked if a financial institution that utilizes social security numbers embedded in account numbers would be required to change the customer's account number. 9:29:15 AM Senator Guess replied that if the institution planned to disclose that account number or print the account number on material in a manner other than provided for in Sec. 48.48.400(a)(5), the account number would have to be changed. No stakeholder has advised the co-sponsors that it utilizes account numbers with social security numbers embedded, although that may have been a past practice. This practice is not safe. 9:29:52 AM Co-Chair Green understood that some group health plans use social security numbers as identification numbers. 9:29:58 AM Senator Guess agreed this had been practiced; however most carriers have changed their methods. 9:30:19 AM Senator Stedman again asked if account numbers would have to be changed. 9:30:26 AM Senator Guess affirmed this would be required unless a state or federal law required the use of the social security number. 9:30:39 AM Co-Chair Green asked if this provision pertains to material enclosed or to information exposed on the outside of mailings. 9:30:52 AM Senator Guess responded that the information could not be included unless federal law requires the social security number, or the sender could send the information in an enclosed mailing. A postcard would not be allowed. 9:31:11 AM Senator Stedman requested clarification as account statements are mailed in enclosed envelopes, whether social security numbers were embedded in the account number or not. 9:32:04 AM Senator Guess answered the account numbers must be changed, unless State or federal law required the social security number, or unless the party received consent of the account holder. Senator Guess surmised that this would likely apply in the event the social security was obvious. 9:33:37 AM Senator Stedman understood that many changes have been undertaken to eliminate the embedding of social security numbers; however many older accounts continue to contain social security numbers in the account number. He again asked if industry would be forced to review and change these older account numbers. 9:34:14 AM Senator Guess responded that for a business that practices disclosure of social security numbers, the provisions of this bill would apply. If a social security number is contained in the business's system and linked to an account number, but the social security number were not disclosed either separately or as part of the account number, the account number would not require changing. 9:34:52 AM Co-Chair Green asked if in discussions on this issue the point had been raised that this is "a little late". She provides her social security number frequently. 9:35:15 AM Senator Therriault remarked that the ability to collect and transfer information electronically has expanded. People used to print social security numbers on their checks and otherwise provided their number regularly. However, he had not given his number in years. Social security numbers are no longer printed on driver's licenses. 9:35:46 AM Co-Chair Green countered that every visit to a doctor involves the utilization of a social security number. 9:35:52 AM Senator Therriault informed that industry is responding to threats of identity theft and social security numbers are being removed from disclosed information. This is occurring in other transactions as well. For example, entire credit card numbers are no longer always printed on receipts. Industry is "slowly correcting". 9:36:41 AM Co-Chair Wilken referenced Sec. 45.48.850. Truncation of care information of Article 8, on page 23, lines 2 through 5. He related that federal law stipulates that entire credit card numbers could not be printed as of January 1, 2005. He asked if the inclusion of this provision is State statute is intended to reinforce the federal law, or whether it serves a different purpose. 9:37:39 AM Senator Guess was unaware of the federal law and would research the matter. The practice is occurring currently, and therefore some vendors have received an exemption or are violating the law. 9:38:06 AM Co-Chair Wilken did not oppose the proposed language, surmising it would "serve as a reminder". While recently traveling in Canada, he noticed that his entire credit card numbers were printed on receipts. This has also occurred in some establishments stateside. 9:39:07 AM Co-Chair Green admitted this provision was included in the bill at her request. A member of her staff had experienced receipts with the entire number printed and had expressed concern. She would also research the matter. 9:40:12 AM ED SNIFFEN, Assistant Attorney General, Commercial/Fair Business Section, Department of Law, testified via teleconference from Anchorage to the extensive comments made to previous committees hearing this bill. The co-sponsors have addressed the Department's concerns about the ability of State agencies to operate. Information must be accessed and disclosed in the course of State business, including student loans and collections. Instances exist in which information must be shared with non-governmental entities for reasons not covered in law, but are essential nonetheless. 9:42:35 AM Mr. Sniffen also spoke to the State's binding liability for damages to third parties in the event of noncompliance to this law. While the Department does not oppose the compliance requirements, the liability provision would not encourage compliance but would require the State to defend against frivolous lawsuits. If methods were provided for individuals to sue the State, such suits would be made. Mr. Sniffen pointed out that the State does not generate revenue from the sale of private information. The information is only utilized for conducting government business. 9:43:44 AM STEVE CLEARY, Executive Director, Alaska Public Interest Research Group, testified via teleconference from Anchorage about the organization, which supported this bill. He told of an incident involving Choice Point, Inc. alerting many Americans of a potential leak of personal information. Many similar incidences have occurred since involving other businesses. The notification process is very important. The Group also supports the credit report freeze provision that would prevent a thief from receiving credit using stolen identity. He related an instance in which a person inadvertently provided personal information to a possible "fisher" and subsequently made an immediate freeze on her credit report until the issue was resolved. This practice is beneficial to business, as billions of dollars are lost each year from this sort of fraudulent actions. 9:47:08 AM Co-Chair Green asked the name of the company involved in the first major security breach. Mr. Cleary answered Choice Point, Inc. is a company operating in the state of Georgia that inadvertently released private information. 9:47:31 AM PAT LUBY, Director, AARP-Alaska, testified via teleconference from Anchorage in support of this bill. The organization has multiple consumer affairs records from its members relating to identity theft. He encouraged passage of the bill. 9:48:26 AM KENTON BRINE, Northwest Region Manager, Property Casualty Insurers Association of America, testified via teleconference from an offnet location that the trade association represents more than 1,000 insurance companies that write nearly 41 percent of the property casualty policies in the country. The Association had expressed concerns with this legislation in other committees. Approximately 40 other states have considered or were considering measures intended to protect consumer information from unauthorized access or exposure, or to allow consumers to freeze access to their credit information. Also, legislation is under consideration in the US Congress to create a national standard. Mr. Brine informed of the federal Fair and Accurate Credit Transaction Act, or FACT ACT of 2003, which includes provisions intended to help consumers fight identity theft, to assure the credit history items identified as fraudulent would not be considered against the consumer during the course of legitimate business transactions, and to ensure that victims of identity theft would continue to qualify for goods and services dependant on credit information. Mr. Brine explained that the FACT ACT allows any consumer with reason to believe he or she is a victim of identity theft to request that a fraud alert be placed on their credit file. This would inform users of the report that the information on the credit file could be inaccurate and that further investigation could be warranted. These consumers could also request that items identified as fraudulent be blocked from appearing on their credit report. The advantage of blocking certain information over freezing an entire report would allow the consumer to continue to qualify for credit based on their true history. Mr. Brine stressed that a lack of uniformity between states could cause difficulties for financial services companies, including insurers' efforts to effectively serve customers. Mr. Brine relayed that insurance companies have successfully sought exemptions in several other states considering similar legislation to allow credit freezes. Mr. Brine indicated he would submit suggested amendments for consideration. 9:54:49 AM JOHN GEORGE, American Council of Life Insurers, testified in Juneau that life insurers are financial institutions carefully controlled by the Division of Insurance and through federal regulations. The State has adopted regulations that are more restrictive than federal law. The companies do not sell or purchase personal identification information, but rather share the information internally with financial partners. This information is utilized to insure against fraud. Mr. George gave an example of a person who purchased a life insurance policy while residing in the state of Florida, relocating several times in the course of his life to other states before passing away many years later in Alaska. The identity of this policyholder must be verified so the claim could be paid. He gave another example of a husband purchasing multiple policies from different carriers on his wife, who then disappears or dies unexpectedly. In such an instance, the policies must be complied to assist in an investigation of possible crimes. Mr. George relayed that an exemption for the insurance industry would be appropriate because it is already controlled and does not buy or sell personal information. 9:58:16 AM Senator Olson asked if the witness did not support the bill. 9:58:24 AM Mr. George responded that the life insurance industry strongly supports identification protection and the use of account numbers different from social security numbers. However, the adoption of alternative numbers could result in their wide usage and subsequent theft. Aside from DNA, fingerprinting or retinal scanning, accurate identification is not guaranteed. 9:59:44 AM Senator Bunde thought the issue had been addressed in the Senate Labor and Commerce Committee. 9:59:58 AM Mr. George replied that provisions are included in the bill to allow access to a social security number in instances legally required by State and federal law. However, he was unsure that existing statutes would apply to every instance in which the insurance industry would need the information. Often the social security numbers are required to report payments to the Internal Revenue Service. 10:00:43 AM DIANE BARRANS, Executive Director, Alaska Commission on Postsecondary Education (ACPE), testified in Juneau, reading a statement into the record as follows. While the Commission is already in compliance with a number of the information security elements of the bill, we do have significant concerns about the provisions relating to the collection and use of social security numbers. The current provisions constitute a potential major impairment of ACPE's ability to efficiently and effectively carry out its administrative responsibilities for state financial aid programs. Specifically, (page 6, lines 25 to 27) AS 45.48.400(b) Unless expressly required by federal or state law, a person may not sell, lease, loan, trade, rent, or otherwise disclose an individual's social security number to a third party for any purpose without the individual's written consent. Currently, ACPE uses the SSN as one of several key identifiers in a multi-point ID protocol when performing statutorily required servicing processes which include: insuring the identity of the applicant, review of applicant credit history, review for relevant selective service status, review for child support delinquency, garnishment of wages and/or PFDs, skip tracing, credit reporting, etc. These matches are made with both federal and state entities as well as with private postsecondary institutions and other non-governmental third parties critical to the process. Collection of SSNs is absolutely critical to these processes and yet, the act of collecting the SSN is not expressly required by law, it is performing the processes that is required. Current language contained in the state education loan Master Promissory Note (MPN) includes an important notices section, which advises applicants that submission of the SSN is required to participate in the loan program. It further advises them, generally, how the SSN will be used as an identifier, when needed and appropriate, throughout the life of the loan. While the promissory note does state: "Information Sharing I authorize the release of information pertinent to my loans…etc.", it does not contain an explicit statement relating to release of the SSN. Should this phrasing issue be subject to litigation and the language deemed to be deficient, I cannot estimate what costs could come from a class action. The current MPN has been in use for the past four years. For the Commission to have to require new MPNs of all current borrowers is estimated to cost in excess of $50,000 in printing, distribution and staff time explaining to borrowers and participating institutions why the existing MPN must be replaced. There would also be the intangible cost to the organization, of putting our customers' confidence in the organization at risk. Since we also operate as a lender under the federal program, should we be able to comply with federal credit reporting requirements the financial losses to the Alaska Student Loan Corporation could be in the millions. Federal loan volume for the current loan year is estimated to be approximately $27 million and represents slightly less than 40% of our total loan volume. The other two sections of related concern are 45.48.410 and 45.48.415. While 45.48.410 appears to provide agencies with the ability to create SSN-related "law" through regulation, as it currently reads, that ability is limited to this single section. Should we attempt to provide all of the requisite authority to support critical administrative processes, I am very concerned that, if subjected to litigation by a disgruntled borrower, the courts would take a strict reading of the statute and disallow any such regulation that was not supported by clear statutory authority. It is also relevant to note that the legislature has expressly charged ACPE with acting as an enterprise agency, using a business model to generate revenue for the state. However, by prohibiting a state agency from asking for a SSN, but not extending that prohibition to other entities, the proposed language in 45.48.410 not only results in significantly increased cost for ACPE - and associated decreases in ACPE's ability to generate revenue for the state - but also results in ACPE not being able to compete with out-of-state organizations that actively market their loans to Alaska's students, costing those students more, decreasing state revenues, and resulting in an outflow of education loan repayment dollars to other states. Finally, ACPE's business process is already subject to a variety of federal consumer protection laws including: Fair Debt Collection Practices Act (FDCPA); Telephone Consumer Protection Act (TCPA); Fair Credit Reporting Act (FCRA); Patriot Act (for OFAC compliance); Gramm Leach Bliley (GLB): Fair and Accurate Credit Act (FACT ACT); Alaska Privacy Act; Alaska statutes and regulations governing the education loan programs; Truth in Lending Act as well as a variety of federal and state laws relative to consumer information protection, identity theft, payment processing, debt collection, and related financial information. The additional requirements placed on the agency by this legislation certainly adds complexity to compliance, due to possible conflicts, without adding meaningfully to the protection of our customers. If it is not possible to altogether exempt ACPE from these referenced requirements, then appropriate amendments are necessary to avoid devastating consequences to our operations, our ability to operate as an enterprise agency, and - most important - our ability to support Alaska's students and institutions of higher education. 10:05:53 AM Senator Therriault informed that in the course of the committee hearing process, 26 formal changes have been adopted to address stakeholder concerns. A new committee substitute was being drafted to further address issues and would be submitted for consideration. He invited Committee members to participate in this process. Senator Therriault pointed out however that a decision was made by the Senate Labor and Commerce Committee as well as the Senate Judiciary Committee to not treat State agencies differently than businesses. 10:07:24 AM Senator Guess referenced testimony from the Alaska Commission on Postsecondary Education and Department of Law testimony regarding social security numbers. The co-sponsors had prepared amendments intended to address the concerns but had decided to delay their introduction to allow the changes to be combined with other planned changes currently being drafted. Senator Guess disclosed that the co-sponsors were continuing communications with life insurance carriers to accommodate the specific needs of that industry. She disagreed that it should receive a special exemption and instead supported efforts to draft language to clarify how the provisions of the bill would apply unless otherwise provided in law. 10:08:54 AM Co-Chair Green directed members to submit any concerns or recommendations to her office to be transmitted to the co- sponsors. Co-Chair Green ordered the bill HELD in Committee.