SB 222-PROTECTION OF PERSONAL INFORMATION  CHAIR CON BUNDE announced SB 222 to be up for consideration. SENATOR GRETCHEN GUESS, co-sponsor of SB 222, recapped the purpose of the bill saying that the problem of identify theft is worse this year than last. 1:38:00 PM SENATOR GENE THERRIAULT, co-sponsor of SB 222, said he read an article that said 1,600 cases of fraud and identify theft were reported in 2004; of those, 400 were identity theft. He explained that it is very difficult to get control of one's economic and personal data once it has been stolen. Recognizing that consumers benefit from rapid data availability, he realized that simply freezing data wouldn't allow stores quick access to information on customers who are applying for a credit card, for instance, to take advantage of a special sale; and he still wanted to give consumers the option of being able to freeze access to their data. 1:43:41 PM CHAIR BUNDE asked if he also envisioned an instant "opt out" option so that a credit report could be quickly obtained by a business that has had a person apply for one of their credit cards. He also asked how quickly a person could apply the remedy if his information had been stolen and used. SENATOR THERRIAULT responded that that is what he hoped testimony would cover today. 1:44:50 PM SENATOR RALPH SEEKINS asked what interstate implications this bill would have, since it would be Alaska law and most credit bureaus that are accessed for personal information are headquartered outside of Alaska. SENATOR THERRIAULT responded that the state has the authority to regulate those companies, because they are responding to inquiries of businesses within the state of Alaska. SENATOR SEEKINS asked what if a customer was in Seattle and there's a big sale at Nordstrom's and he had frozen his account in Alaska, would there be a statutory requirement for the enquiry to be frozen. SENATOR THERRIAULT replied, "I don't think that's the way the system works." He surmised that for someone who had acquired his data and pretended to be him, the law would be meaningless in every one of the other states. 1:48:23 PM SENATOR SEEKINS asked where the definition of information collector is located. SENATOR GUESS replied that that definition is on page 4, lines 6 - 8 and an information collector is a person who owns or uses personal information in any form... on a state resident. SENATOR SEEKINS asked if a person who wrote down his zip code was, by definition, an information collector. SENATOR GUESS replied no and that the personal information definition is on page 4, lines 9 - 28 and talks about what personal information is and, therefore, what it is not. SENATOR SEEKINS stated he thought that definition needed to be clarified. 1:51:44 PM SENATOR GUESS asked if Senator Seekins was referring to an Alaskan resident who may be in Washington who either wants to freeze or unfreeze his credit report. SENATOR SEEKINS rephrased his question stating that the law would apply to all businesses working in Alaska, but if the headquarters of ABC Rating Company, for instance, is in Kansas City (that recognizes our state law) and the enquiry is coming from the Nordstrom Store in downtown Seattle, does the ABC Reporting Company have any statutory requirement not to provide that - even though the customer froze his report in Alaska. SENATOR THERRIAULT replied that the State of Alaska has the power to regulate a business entity that is housed outside of the state if it has agreed and wants to transact business in the state of Alaska. 1:54:05 PM CHAIR BUNDE posed his Bahamas question. An Alaskan resident freezes his credit information; he wins the lottery and moves to the Bahamas and he hasn't taken the freeze off. Does the freeze stay there until he removes it - no matter where he resides. SENATOR THERRIAULT indicated yes. SENATOR SEEKINS asked for a report on that situation's enforceability by the time this bill came to the Judiciary Committee. SENATOR THERRIAULT noted that the bill breaks down the controls an individual consumer can exert over his information and what duties the companies collecting the information have to him, if there is a breach of their internal security. 1:56:01 PM SENATOR SEEKINS asked about credit accuracy on page 14. He asked if a person disputes the credit information, does he have a responsibility to report it immediately to the information collector. SENATOR THERRIAULT replied that the business has the duty to stop making reports. 1:58:05 PM SENATOR JOHNNY ELLIS arrived. 1:58:52 PM SENATOR GUESS responded that language on page 14, line 25, says that it applies to those companies that are actually distributing the information, not someone who is using the information. SENATOR SEEKINS remarked that he didn't want to end up with an affirmative responsibility on the part of the merchant who is trying to gain information to make a credit decision. 2:00:24 PM JOHN GEORGE, American Council of Life Insurers, said that some of his concerns had been addressed, but he still had issues. He didn't think a company should be required to do business with a person if he refuses to give it his social security number. In the life insurance business, he said: We need to make sure that we're paying the right beneficiary. We need to know that that's absolutely the right guy and a social security number is a personal identifier; it's a number that's generally collected.... He further explained that if a person uses another name, like their pet cat's name, Fluffy, the person who filled out the application knows that, but their heirs who are the ones who are going to be collecting on the policy may not know that. He explained: We really need an identifier that is consistent, that can be verified and for someone to refuse to give that type of information may make it difficult for us to identify who the real deceased is and, therefore, who the legal beneficiaries are. He also had problems with the notification requirement that would force them to notify every policyholder in the state that they had a breach of security if someone accidentally got the wrong letter in the mail and sent it back. 2:04:01 PM CHAIR BUNDE asked if banks could still refuse to cash checks without a person showing his social security number first. MR. GEORGE replied that he didn't know if cashing a check could be considered "doing business" and that's the language that is used. Selling a life insurance policy to someone is really "doing business" with him. CHAIR BUNDE instructed him to work with the bill's sponsors on resolving his issues. 2:05:52 PM LISA CORRIGAN, President, Alaska Bankers Association, said she is also Executive Vice President and Chief Operating Officer of Alaska Pacific Bank. She stated the Alaska Bankers Association supported the intent of this legislation saying, "Our very integrity depends upon our ability to safeguard customer information, not just their money, but any of their sensitive information." Her comments pertained to three points of clarification. The first issue was language in Section 1 concerning disclosure of breach of security. It appears to state that a bank would have to notify affected persons regardless of whether sensitive customer information had actually been accessed for unauthorized purposes and that language goes too far. She explained that banks are already operating under numerous regulatory rules and guidelines from the federal regulatory authorities governing all banks that was developed as a requirement in the Gramm-Leach-Blighly Act regarding privacy. Banks are required to look at how likely it is that such a breach would occur and how vulnerable their data would be in that event and they have to come up with a program of response. Regulation language says: If the bank determines through this risk assessment process in their analysis of the breach itself that such misuse has occurred or it is reasonably possible that misuse will occur, then notification of affected customers is required as soon as possible. Secondly, she recommended different language regarding notification to law enforcement, again from the banking interagency guidance. Instead of stating that just the Department of Law needs to be consulted to see if there is an on-going investigation, the association wanted to make sure that all appropriate law enforcement agencies would be referenced. Thirdly, the protection of social security number language on page 15 talks about having a waiver for a refusal to do business with an individual if a business is required to submit a social security number to the federal government. She pointed out that there are cases in which a bank is required to obtain a social security number, as under the Patriot Act, so that an individual who wants to open an account can be definitively identified. If that person is not a primary signer on the account, that social security number will probably not be reported to the IRS and is held in the bank's records as a form of identification. To resolve this, she asked the committee to delete "submit" and insert "obtain" on line 30. CHAIR BUNDE asked if she thought this legislation prevented her from requiring a social security number from a person who was cashing a check at her bank. MS. CORRIGAN replied that she didn't see that as a problem as long as the bank is allowed to obtain it without having to submit it to the federal government. 2:13:58 PM RON JORDAN, Anchorage, said he was testifying for himself and his deceased brother-in-law's behalf, having dealt with his identity theft. His brother-in-law had a housemate who was renting from him who stole his identification. While Mr. Jordan supported SB 222, he didn't think the penalties in it were strong enough. Mandatory jail time and/or restitution should be involved. 2:16:13 PM ED SNIFFEN, Assistant Attorney General, said he specializes in consumer law and supported the overall intent of the sponsors, but he had some concerns about the way SB 222 would impact a variety of state agencies that collect personal information as defined in this bill. He was working to amend some provisions to provide the protections for state agencies that are trying to conduct state business without fear of having to absorb enormous expenses to notify state residents for some incidental and perhaps unintentional exchange of information. On Senator Seekins' question about applicability of this law if one was to cross state lines and if an Alaskan resident calls a credit bureau in Minneapolis to put a freeze on this credit report, he stated that that credit reporting agency would be required to honor that freeze regardless of who called. 2:18:40 PM CHAIR BUNDE asked if the person who wishes that service has to identify himself as an Alaskan resident to access protection under Alaska law. MR. SNIFFEN replied yes, the bill requires the resident to provide sufficient identification to the bureau. It has to honor his request if it wants to continue to do business in Alaska. Half the states have the same requirement. CHAIR BUNDE thanked people for their comments and said the bill would be held for further work.