ALASKA STATE LEGISLATURE  SENATE LABOR AND COMMERCE STANDING COMMITTEE  March 13, 2008 1:18 p.m. MEMBERS PRESENT Senator Johnny Ellis, Chair Senator Gary Stevens, Vice Chair Senator Bettye Davis Senator Lyman Hoffman Senator Con Bunde MEMBERS ABSENT  All members present COMMITTEE CALENDAR  SENATE BILL NO. 160 "An Act establishing an Alaska health care program to ensure insurance coverage for essential health services for all residents of the state; establishing the Alaska Health Care Board to define essential health care services, to certify health care plans that provide essential health care services, and to administer the Alaska health care program and the Alaska health care fund; establishing the Alaska health care clearinghouse to administer the Alaska health care program under the direction of the Alaska Health Care Board; establishing eligibility standards and premium assistance for persons with low income; establishing standards for accountable health care plans; creating the Alaska health care fund; providing for review of actions and reporting requirements related to the health care program; and providing for an effective date." MOVED CSSB 160(L&C) OUT OF COMMITTEE SENATE BILL NO. 293 "An Act relating to electronic communication devices and to personal information." MOVED CSSB 293(L&C) OUT OF COMMITTEE CS FOR HOUSE BILL NO. 65(FIN) "An Act relating to breaches of security involving personal information, credit report and credit score security freezes, protection of social security numbers, care of records, disposal of records, identity theft, credit cards, and debit cards, and to the jurisdiction of the office of administrative hearings; amending Rules 60 and 82, Alaska Rules of Civil Procedure; and providing for an effective date." SCHEDULED BUT NOT HEARD PREVIOUS COMMITTEE ACTION  BILL: SB 160 SHORT TITLE: MANDATORY UNIVERSAL HEALTH CARE SPONSOR(s): SENATOR(s) FRENCH 04/23/07 (S) READ THE FIRST TIME - REFERRALS 04/23/07 (S) HES, L&C, FIN 09/10/07 (S) HES AT 1:30 PM Anch LIO Conf Rm 09/10/07 (S) Heard & Held 09/10/07 (S) MINUTE(HES) 01/30/08 (S) HES AT 1:30 PM BUTROVICH 205 01/30/08 (S) Heard & Held 01/30/08 (S) MINUTE(HES) 02/18/08 (S) HES AT 1:30 PM BUTROVICH 205 02/18/08 (S) Moved CSSB 160(HES) Out of Committee 02/18/08 (S) MINUTE(HES) 02/19/08 (S) HES RPT CS 3DP 1DNP NEW TITLE 02/19/08 (S) DP: DAVIS, THOMAS, ELTON 02/19/08 (S) DNP: DYSON 02/26/08 (S) L&C AT 1:30 PM BELTZ 211 02/26/08 (S) Heard & Held 02/26/08 (S) MINUTE(L&C) 02/28/08 (S) L&C AT 1:30 PM BELTZ 211 02/28/08 (S) Heard & Held 02/28/08 (S) MINUTE(L&C) 03/11/08 (S) L&C AT 1:30 PM BELTZ 211 03/11/08 (S) Heard & Held 03/11/08 (S) MINUTE(L&C) BILL: SB 293 SHORT TITLE: ELECTRONIC COMMUNICATION DEVICES SPONSOR(s): SENATOR(s) MCGUIRE 02/19/08 (S) READ THE FIRST TIME - REFERRALS 02/19/08 (S) L&C, JUD 03/04/08 (S) L&C AT 1:30 PM BELTZ 211 03/04/08 (S) Heard & Held 03/04/08 (S) MINUTE(L&C) BILL: HB 65 SHORT TITLE: PERSONAL INFORMATION & CONSUMER CREDIT SPONSOR(s): REPRESENTATIVE(s) COGHILL, GARA 01/16/07 (H) PREFILE RELEASED 1/5/07 01/16/07 (H) READ THE FIRST TIME - REFERRALS 01/16/07 (H) L&C, JUD, FIN 01/31/07 (H) L&C AT 3:00 PM CAPITOL 17 01/31/07 (H) 03/28/07 (H) L&C AT 3:00 PM CAPITOL 17 03/28/07 (H) Heard & Held 03/28/07 (H) MINUTE(L&C) 04/04/07 (H) L&C AT 3:00 PM CAPITOL 17 04/04/07 (H) 04/16/07 (H) L&C AT 10:00 AM CAPITOL 17 04/16/07 (H) Scheduled But Not Heard 04/20/07 (H) L&C AT 3:00 PM CAPITOL 17 04/20/07 (H) Heard & Held 04/20/07 (H) MINUTE(L&C) 04/23/07 (H) L&C AT 3:00 PM CAPITOL 17 04/23/07 (H) Moved CSHB 65(L&C) Out of Committee 04/23/07 (H) MINUTE(L&C) 04/24/07 (H) L&C RPT CS(L&C) 2DP 3NR 1AM 04/24/07 (H) DP: GATTO, NEUMAN 04/24/07 (H) NR: BUCH, LEDOUX, OLSON 04/24/07 (H) AM: GARDNER 05/02/07 (H) JUD AT 1:00 PM CAPITOL 120 05/02/07 (H) Heard & Held 05/02/07 (H) MINUTE(JUD) 05/05/07 (H) JUD AT 8:00 AM CAPITOL 120 05/05/07 (H) Moved CSHB 65(JUD) Out of Committee 05/05/07 (H) MINUTE(JUD) 05/07/07 (H) JUD RPT CS(JUD) NT 4DP 2AM 05/07/07 (H) DP: HOLMES, LYNN, COGHILL, RAMRAS 05/07/07 (H) AM: DAHLSTROM, SAMUELS 01/23/08 (H) FIN AT 1:30 PM HOUSE FINANCE 519 01/23/08 (H) Heard & Held 01/23/08 (H) MINUTE(FIN) 02/13/08 (H) FIN AT 1:30 PM HOUSE FINANCE 519 02/13/08 (H) Heard & Held 02/13/08 (H) MINUTE(FIN) 02/18/08 (H) FIN AT 1:30 PM HOUSE FINANCE 519 02/18/08 (H) Heard & Held 02/18/08 (H) MINUTE(FIN) 02/19/08 (H) FIN AT 1:30 PM HOUSE FINANCE 519 02/19/08 (H) Moved CSHB 65(FIN) Out of Committee 02/19/08 (H) MINUTE(FIN) 02/21/08 (H) FIN RPT CS(FIN) NT 4DP 5NR 02/21/08 (H) DP: HAWKER, CRAWFORD, GARA, NELSON 02/21/08 (H) NR: KELLY, THOMAS, STOLTZE, MEYER, CHENAULT 02/27/08 (H) TRANSMITTED TO (S) 02/27/08 (H) VERSION: CSHB 65(FIN) 02/29/08 (S) READ THE FIRST TIME - REFERRALS 02/29/08 (S) L&C, JUD, FIN 03/04/08 (S) L&C AT 1:30 PM BELTZ 211 03/04/08 (S) Heard & Held 03/04/08 (S) MINUTE(L&C) 03/13/08 (S) L&C AT 1:30 PM BELTZ 211 WITNESS REGISTER TREVOR FULTON Staff to Senator McGuire Alaska State Capitol Juneau, AK POSITION STATEMENT: Commented on SB 293 for sponsor. DR. OLIVER HEDGECUT Professor of Logistics University of Alaska Anchorage Anchorage, AK POSITION STATEMENT: Supported SB 160.  ED SNIFFEN, Assistant Attorney General Department of Law PO Box 110300 Juneau, AK POSITION STATEMENT: Commented on SB 293 and HB 65. KAREN LIDSTER Staff to Representative John Coghill Alaska State Capitol Juneau, AK POSITION STATEMENT: Commented on HB 65 for the co-sponsor. MEAGAN FOSTER Staff to Representative Les Gara Alaska State Capitol Juneau, AK POSITION STATEMENT: Commented on HB 65 for the sponsor. JON BURTON, Vice President State Government Relations Choice Point Washington, D.C. POSITION STATEMENT: Wanted changes to HB 65. AUDREY ROBINSON, Manager State Government Affairs Reed Elsevier, Parent Company of LexisNexis No address provided POSITION STATEMENT: Wanted changes to HB 65. JENNIFER FLYNN, Director Government Affairs Consumer Data Industry Association (CDIA) Washington, D.C. POSITION STATEMENT: Wanted changes to HB 65. GAIL HILLEBRAND Consumers Union No address provided POSITION STATEMENT: Wanted changes to HB 65. TERRY BANNISTER Legislative Legal Division Juneau, AK POSITION STATEMENT: Commented on HB 65. BRYAN MERRELL, Regional Counsel First American Title Insurance Company and Alaska Land Title Association Juneau, AK POSITION STATEMENT: Commented on HB 65. ALAN VAZQUEZ American Electronics Association No address provided POSITION STATEMENT: Wanted changes to HB 65. KENTON BRYNE Property Casualty Insurers Association (PCI) of America No address provided POSITION STATEMENT: Wanted changes to HB 65. SHEILA CALCALSURE Information Policy Officer for the Americas Acxiom Corporation No address provided POSITION STATEMENT: Commented on HB 65. ACTION NARRATIVE CHAIR JOHNNY ELLIS called the Senate Labor and Commerce Standing Committee meeting to order at 1:33:38 PM. Present at the call to order were Senators Davis, Stevens and Ellis. SB 160-MANDATORY UNIVERSAL HEALTH CARE  1:34:51 PM CHAIR ELLIS announced SB 160 to be up for consideration. 1:35:10 PM SENATOR HOFFMAN joined the committee. SENATOR DAVIS moved to adopt CSSB 160(L&C), version T. There were no objections and it was so ordered. CHAIR ELLIS stated they had covered the labor and commerce aspects of the bill. 1:36:18 PM SENATOR STEVENS said he was still concerned about how the health care programs would be paid for. SENATOR DAVIS moved to report CSSB 160(L&C) from committee with individual recommendations and attached fiscal notes. There were no objections and it was so ordered. SB 293-ELECTRONIC COMMUNICATION DEVICES 1:37:31 PM CHAIR ELLIS announced SB 293 to be up for consideration. TREVOR FULTON, staff to Senator McGuire, sponsor of SB 293, recapped that this is a consumer protection bill protecting personal privacy and preventing theft of personal identity. The state currently doesn't have any regulation on the books and this brings state statutes up to date with this growing technology. CHAIR ELLIS asked him to explain the concerns that were expressed since the last hearing. 1:38:51 PM SENATOR BUNDE joined the committee. MR. FULTON responded that the proposed CS addressed some of those concerns. In response to Senator Bunde's question whether SB 293 was a proactive bill or addressed current problem, he reported that Ed Sniffen, Assistant Attorney General, said identity theft as a result of radio frequency identification (RFID) would be difficult to prove, but he thought it had probably already happened. Senator Bunde's second concern was how SB 293 would affect the use of federal documents like passports. Mr. Fulton said Legal Services decided it wouldn't affect federal regulations regarding those types of documents, but the CS excludes passports and other government-issue travel documents. A third question came up through public testimony about whether similar laws exist in other states. The short answer is no, but RFID has only been on the public radar for the last three years. It surfaced in 2005 and since then 50 pieces of legislation have been introduced in 27 states about it. SENATOR BUNDE said that addressed his concerns. SENATOR ELLIS asked Mr. Fulton to go through the CS. 1:41:55 PM MR. FULTON said that after discussions with the Attorney General's office, the bill drafter, the Electronic Privacy Information Center and Dr. Oliver Hedgecut, Professor of Logistics at UAA, the sponsor decided to incorporate the following changes into the draft CS. The first change is in the title that adds violations of this act to a long list of unfair trade practices already in statute. The second change is on page 1, line 7, and deletes "active" that was used in the RFID industry as a very specific term to differentiate between an active RFID device and a passive one. It wasn't used in that sense and they didn't want to cause confusion so it was deleted. The third change is on page 1, line 10, and a couple of other places and replaces "universally accepted symbol" with "industry recognized symbol". The reasoning is there is no "universally acceptable symbol" out there and several different industries use the symbols differently. They also wanted to accommodate those who are already willingly labeling their products with some sort of RFID symbol. On page 2, lines 16-31, a paragraph was deleted that required consumers to pay costs associated with the deactivation of RFID. It was thought putting that burden on the consumer's shoulders was unreasonable. A new paragraph says "a provider must delete any personal information on a reactivated RFID." They didn't want to discourage reuse of the devices, but personal information had to be purged first. The fifth change was on page 3, line 1, that replaced "coerce" and "coercion" with "require" and "requirement". "Coercion" is a stronger term and more open to interpretation, which could make proving a violation of this section more difficult. On page 3, lines 15-16, "remote" was deleted because it is superfluous; all RFID devices scan and read remotely. On page 4, lines 12-14, the "Enforcement" section was deleted because when this was added to the Unfair Trade Practices Act, there was no longer any need to specifically identify enforcement procedures. A new section was added in its place entitled "Exemption" which is where passports and other international travel documents were exempted. On page 4, lines 16-18, the definition of "active" was deleted and definitions for "activate" and "activated" were inserted. 1:47:48 PM This next section had the most substantive change, Mr. Fulton said. On page 4, lines 28-29, "that transmits, receives or stores personal information" was added after "item". This language narrows the focus of the bill only to RFID devices that transmit, receive or store personal information. "Personal information" is defined to include the types of items that consumers tend to be most sensitive about (listed on page 5). They didn't want to unnecessarily burden all the other industries, particularly supply chain management and retail industries that use RFIDs quite a bit. The final change in the CS is on page 6, lines 2-3, where a new section was inserted entitled "Section 2" that adds this act to the list of Unfair Trade Practices. 1:49:07 PM CHAIR ELLIS asked if all concerns had been addressed. MR. FULTON replied yes. DR. OLIVER HEDGECUT, Professor of Logistics, University of Alaska Anchorage, supported SB 160. He stated that Alaska does lead in this area and started its RFID research at UAA with the military. "For that very reason we are a good Petrie dish to experiment with, not only technology, but with laws and I'm very proud to be Alaskan and see that we are talking about this today." He approved of the suggested changes. ED SNIFFEN, Assistant Attorney General, said making data protection and privacy a violation of the Consumer Protection Act was a good move. SENATOR ELLIS said he supported narrowing the bill to personal privacy. 1:52:37 PM SENATOR STEVENS moved to adopt CSSB 293(L&C), version 25- LS1509\C. There were no objections and it was so ordered. 1:53:02 PM SENATOR STEVENS moved to report CSSB 293(L&C) from committee with individual recommendations and attached fiscal notes. There were no objections and it was so ordered. CSHB 65(FIN)-PERSONAL INFORMATION & CONSUMER CREDIT  1:54:04 PM CHAIR ELLIS announced CSHB 65(FIN) to be up for consideration. [The committee was considering SCS CSHB 65(L&C), version 25- LS0311\V.] KAREN LIDSTER, staff to Representative John Coghill, co-sponsor of HB 65, was available to answer questions. MEAGAN FOSTER, staff to Representative Les Gara, co-sponsor of HB 65, started reviewing the changes to version V. On page 11, line 9, the original bill allowed $10 for placing a security freeze per credit reporting agency and the CS takes that to $5 based on AARP testimony. SENATOR BUNDE asked what a freeze would actually cost. MS. FOSTER answered that states' charges vary with $15 being the most expensive. Indiana has no charge for placing a freeze. She has not heard what actual costs are to the credit bureau. 1:59:37 PM MS. FOSTER said the second change is on page 11, line 23, for victims of identity theft to receive a freeze at no cost. This was requested by AARP. The original bill had no exemptions. SENATOR BUNDE said he was curious about the unfunded mandate. CHAIR ELLIS remarked that is an open issue at this point. MS. FOSTER went to page 12, lines 3-6, rights given to consumers, that outlined changes in the fee structure, a conforming change. 2:01:23 PM MS. LIDSTER went to page 16 and recording of documents. The original bill dealt with the DNR's concerns by making the exception for them to be able to accept whatever legal document they were required to record. The DNR and the DOL felt that exemption should also be in Section 45.48.400 on page 17, line 20. It states that prohibitions of this section do not apply to a person that is engaged in the business of government and is authorized by law or when the request or collection of the individual's social security number is required for the performance of a person's duties or responsibilities. This makes sure that an individual recording a document in the Recorder's Office was not responsible for the information that was on the document. SENATOR ELLIS asked if this circumstance is particular to the DNR. MS. LIDSTER replied it was brought to their attention by DNR because it has the unique duty of recording documents that may have personal information and it makes copies available. The department is not in a position to start going through those documents and deleting that recorded information. The provision relates to other government agencies or individuals that are authorized by law to perform this work. MS. FOSTER went to page 17, lines 28-29, where "from an individual there" replaced "an individual" with in relation to social security numbers. It was requested by Choice Point as clarifying language. SENATOR BUNDE asked how this applies if you want to cash a check at a bank that wants to see your social security number. MS. FOSTER replied the exemptions allow for disclosure of a social security number if it is needed to complete a financial transaction. 2:06:59 PM SENATOR BUNDE said it prohibits a business from asking, but asked if a person who wants to conduct business there can still volunteer it. MS. FOSTER didn't know how that would be addressed. 2:07:50 PM MS. FOSTER proceeded to page 18, lines 19-22, subsection (5) where "debt collection, fraud prevention and medical treatment" was inserted after "background check on an individual". This is because Premera was concerned that restricting social security numbers would prevent them from giving a patient his medical records. Doctors' offices were also concerned with this issue. 2:10:04 PM SENATOR BUNDE asked if there is a problem in Alaska of people selling social security numbers. MS. FOSTER replied that in the past an information services company allowed downloading of social security numbers. It was advertised on their website; that is no longer there. The numbers were from 1988 fishing licenses. She said that data brokering companies will still sell that information. This would just affect Alaskan records, not those in other states. She said the next change was requested by Choice Point as a clarification - on page 19, lines 8-11, subsection (d), language was added saying "transfer of an individual's social security number for the sole purpose of identifying a person about whom a report or database check is ordered, received or provided is not a sale, lease, loan, trade or rental or the social security number of this section." Finally, she said, on page 20, lines 2-5, the same language used in request or collection was inserted to allow for disclosure of social security numbers for debt collection, identity verification, fraud prevention and medical treatment. This change was requested by Premera. 2:14:20 PM CHAIR ELLIS said they would begin public testimony on the CS. 2:15:33 PM JON BURTON, Vice President, State Government Relations, Choice Point, Washington, D.C. introduced himself. AUDREY ROBINSON, Manager, State Government Affairs, Reed Elsevier, Parent Company of LexisNexis, introduced herself. JENNIFER FLYNN, Director, Government Affairs, Consumer Data Industry Association (CDIA), Washington, D.C. said her agency represents consumer companies like LexisNexis and Choice Point. MR. BURTON recalled their proposed amendments presented last week that they felt were necessary to not only allow the consumer protections in this bill to go forward, but also to removed some impediments to legitimate business activities that are currently going on today in Alaska and across the country. He wanted to briefly respond to some of the changes in the CS and then go into his proposed amendments. He commented that he hadn't seen many of the amendments in the CS and the fact that many of them were attributed to Choice Point came as an utter surprise to him. He asked members to refer to a copy of his proposed amendments from last week. MS. ROBINSON clarified that the amendments presented to the committee were based on the CS as it came over to the committee. So, some of the line numbers were slightly off given the new version. 2:20:19 PM at ease 2:21:52 PM CHAIR ELLIS noted his practice of providing CS to the general public as soon as possible. MR. BURTON said his primary concerns were with the social security number provisions, the credit freeze provisions and the breech notification. He started with the social security number provisions on page 17, line 27, Section 45.48.410. He said one change was made at his request and that was the insertion of language from an individual on line 29. 2:24:00 PM Choice Point's second proposed amendment dealt with Sections 45.48.410, .420 and .430 on pages 17-20. The contentious language is on page 18, line 1, where it says "(1) if the person is expressly authorized by local, state or federal law...." His issue with that is they aren't aware of many statutes, either state or federal, that specifically talk about the government use of social security numbers. His company operates under an umbrella of state and federal regulatory law which talks about the distribution, the sharing and transfer of non-public personal information and these kinds of definitions most of which include social security numbers. Many of their activities are engaged by such federal regulatory statutes such as the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLB), the Driver's Privacy Protection Act and the U.S. Patriot Act. These laws are what they call prohibitive statutes in that they set up things they can not do - except for certain permissible purposes or authorized exemptions. MR. BURTON explained that he has asked the sponsors to make a small language change to contemplate and conform to those federal statutes. The language would read, "if the person is permitted or authorized by local, state or federal law." He said he brought the federal statutes for their review. 2:26:00 PM MS. FLYNN said she had worked on this type of language in many states and while it is seemingly a simple issue, "permitted" and "authorized" are necessary for their businesses to continue providing their services. They feel that particular language complies with federal laws. Once "expressly authorized" is inserted they no longer can actually say they comply with the FCRA and GLB requirements, because those purposes are "permitted," they are not "authorized." MR. BURTON said the language at issue is in three separate social security number sections. So they want the suggested language included in all three sections for conformity as well. 2:27:58 PM MR. BURTON said the next language issue applies to all three social security number sections again. He explained that the bill sets up prohibitions on what can be done with social security numbers and then sets out a list of exemptions. One of the exemptions is for the GLB. His problem is that the GLB exemption it references does not have the legal effect they need to continue legitimate business operations. He has asked the sponsors to redraft the exemption to give what his lawyers said it needed to have legal effect. CHAIR ELLIS asked Ms. Bannister to address this specifically. 2:30:38 PM MR. BURTON said all three social security sections should be changed to have this legal effect. MS. FLYNN reiterated that credit reporting is regulated under FCRA and not being able to legally transmit social security numbers back and forth could stop credit reports from being transmitted to Alaska. CHAIR ELLIS said this came up in other states and asked how those credit agencies dealt with it. MS. FLYNN answered that many states don't particularly touch on social security numbers one way or another. But the states that have brought it up understand the fact that credit reports and the transfer of information not only from a consumer to the credit reporting agency, but the credit reporting agency to, for instance, a bank or to someone who is trying to get a lien or looking at a mortgage title - all those transactions include the social security number and are permissible under the FCRA. They want language to mirror the federal language. 2:34:29 PM MR. BURTON said language in subparagraph (5), page 18, line 19, was in Section 45.48.410 and .430, but not in .420. He asked that it reference all three for effect and conformity purposes. That concluded his suggestions on the social security provisions. 2:35:48 PM CHAIR ELLIS asked Ms. Foster and Ms. Lidster if they wanted to comment in terms of the policy calls, the impact of the tradeoffs and drafting issues. MS. FOSTER said Representative Gara had discussions with Mr. Burton about using "permitted" and the representative thought using it was too broad. Representative Gara also wanted a word that wasn't as narrow as "expressly authorized". They hadn't come to an agreement. CHAIR ELLIS asked if the drafting attorney had suggested language and if it would allow the business practice that other states have allowed. He said this issue really has to be resolved. ED SNIFFEN, Department of Law (DOL), said industry's concerns were that using "expressly authorized" in sections .410, .420 and .430 was too narrow for them to conduct business under the FCRA or GLB. He looked at the acts and even though the headings in some of them use terms like "permissible purposes" or "things that aren't prohibited," it seemed to suggest that "expressly authorized" wouldn't encompass that same meaning. The FCRA provides that "permissible purpose" of a consumer report allows that a consumer reporting agency "may furnish to a person which has a reason to believe that the information is going to be used in connection with a credit transaction involving the consumer". The Act says it is okay to furnish this information to a person and he thought "expressly authorized" could include statements like "may furnish". He suggested dropping "expressly" and using just "authorized". He thought "authorized" had more import than "permitted" because that is very broad. He said it's likely that existing language would allow them to do business, but he was continuing to work on this with them. In looking over Alaska Supreme Court cases, he hadn't found any legal distinction between using "authorized" and "permitted." MR. SNIFFEN said with respect to the exemptions in sections .410 and .430 the "expressly authorized" language is an "either or" under these sections, because regardless of whether something is expressly authorized or not, the bill does carve out an exemption for the Gramm-Leach-Bliley Act. It doesn't matter if it says "permitted" or "expressly authorized," if it's in the GLB Act, you are exempt. He hadn't focused on Mr. Burton's point about whether or not they are technically a financial institution and so that exemption may or may not apply to them, but he would be happy to have that conversation with him. The same for consumer reporting agencies under exemption 4 on page 18, line 16, that provides an exemption for a communication to or from a consumer reporting agency. The FCRA defines a consumer reporting entity to include, he believed, Choice Point and others; maybe that's where their hang-up was. He thought this exemption encompassed all that conduct. However, he said, those exemptions don't hinge on the language "expressly authorized" versus "permitted". CHAIR ELLIS asked him to think about what language would work. GAIL HILLEBRAND, Consumers Union, said on the issue of "expressly authorized" this bill is designed to restrict some conduct that now occurs in the marketplace. That is why it was brought forward. Her concerns with saying simply "authorized" or "permitted" without some kind of affirmative authorization or permission is that federal law allows all sorts of things that it doesn't prohibit. But it is implied. Federal law is structured so there are certain things you can't do and it just doesn't touch the universe of other things; this measure is designed to touch the remaining universe of other things. She thought this was a policy issue, not a drafting issue. MS. FOSTER said the sponsors made a policy call when inserting "for a purpose permitted or authorized by the Gramm-Leach-Bliley Act" into sections .410 and .430. The reason it is not just a conforming amendment and wasn't put into section .420 is because they are trying to prohibit the sale, lease, loan or trade of a social security number and institutions covered under GLB are allowed to engage in that business. It was a hard policy call. 2:46:48 PM CHAIR ELLIS asked if the restriction in the CS is common in other states. MS. FOSTER answered no other state has restrictions as tight as the ones being proposed. CHAIR ELLIS said they would come back to sections .410 and .430. 2:47:55 PM MS. FOSTER said the language for the Fair Credit Reporting Act was inserted because they didn't want to open all the sections of the bill to those purposes covered under it. On page 18, line 23, new language was added in the sale, lease, loan, trade or rental section for conformity with .410 and .430. They don't necessarily want the language in section .420 to conform exactly with the other two sections. It was another policy call that they don't feel the language covering the sale of a social security number should be the same as the language covered under disclosure or request for collection of a social security number. 2:50:00 PM CHAIR ELLIS asked Ms. Bannister's thoughts on the points that had been made from a drafting perspective. TERRY BANNISTER, Legislative Legal, said she could draft whatever is wanted. However, "permitted" is very broad and she didn't know if the parties could compromise on another word. CHAIR ELLIS stated that they wanted to make the right policy call, but they didn't want to make a compromise for comprise sake. 2:53:08 PM MS. BANNISTER asked what Mr. Burton particularly felt using "authorized" would not allow them to do. MS. FLYNN (GLB) answered that their lawyers interpret "authorize" specifically to mean authorize; there is no definitional ambiguity to that word. It means the law has to "authorize" it. The FCRA and the GLB do not do that; they "permit." If a lawyer is looking at what they are allowed to do and it says "authorized" by the FCRA, the FCRA doesn't authorize, it permits. Her company lawyers' interpretation is that they would no longer be able to provide the services under the FCRA. GLB is a broader financial institution law, so the consumer reporting agencies would not be able to provide the services that they provide. If there are certain things under federal law the state doesn't want them doing, that's a different question. But if you're trying to say they should be able to continue doing everything that is permissible under the FCRA and GLB, this would not allow them to do that. 2:55:14 PM MS. FOSTER had no response to that. 2:55:54 PM MS. BANNISTER asked why doesn't subsection (4) [in Section 45.48.410] allow it. MS. FLYNN replied as that particular section is written "a communication to or from a consumer reporting agency" is much too vague. They operate under very strict regulatory and legal guidelines and laws; it would be a disservice for her to say this is okay. Ambiguity is unacceptable and they are talking about secure information. MS. BANNISTER asked what she would use instead of "communication" that would be more concrete. MS. FLYNN replied she would have to discuss that with the companies and the lawyers. CHAIR ELLIS directed that to proceed. SENATOR BUNDE said he thought the crux of the matter is that things are allowed under the federal law that the CS won't allow. He asked if it was the sponsors' intent to limit practices that are allowed under federal law. MS. FOSTER said the sponsors believe what is allowed under federal law is really broad, and they are not comfortable with that, especially for social security numbers. It is the sponsors' intent to narrow those permitted uses. SENATOR BUNDE said he didn't think there were words that would solve this equation. CHAIR ELLIS said he thought language could be found to allow certain business practices. 3:00:21 PM MS. FLYNN asked which purposes they would be limiting. 3:02:06 PM BRYAN MERRELL, Regional Counsel, First American Title Insurance Company and Alaska Land Title Association, said he was concerned about an issue that was raised by the DNR Recorder's Office about making a public record of private information that might be contained in its recorded documents. He had been told those concerns were addressed by an exemption, but he wasn't sure. CHAIR ELLIS responded that no one from DNR was present, but they had represented to staff that they were satisfied with the change. 3:05:39 PM ALAN VAZQUEZ, American Electronics Association, suggested adding an email provision within the methods of notice section as a primary form of notice. They believe this because many of their member companies' primary method of communication with their customers is through email. It is also a quicker way to notify consumers and customers of a potential data breach. Second, he asked that a public exception provision be inserted in the definition of personal information in Section 45.48.090 (7) because business should be encouraged to focus resources on truly sensitive data elements. "It's imperative that the data elements include a definition that is consistent with those that truly lead to a significant risk of identity theft." Last, Mr. Vazquez encouraged them to look at the American Legislative Exchange Council's model definition of "data breach." It is their concern that the current definition in this bill is too broad and would lead to over notification and "boy cries wolf scenario." 3:09:22 PM KENTON BRYNE, Property Casualty Insurers Association (PCI) of America, said he had provided amendments to Representative Coghill's office, and their focus is entirely on Article 2 the credit freeze authorization provision - particularly Section 45.48.100. He said roughly 43 percent of the home, auto and business insurance polices written in America are written by PCI member companies. He said some 40 states have approved credit freeze language; 33 of those states have included some kind of language that allows insurers to continue to access credit related information and consumer reports for insurance related purposes even if a freeze has been placed on the credit file. He said primarily when someone's identity is stolen it is for the purpose of falsely getting access to money and loans. He was pretty sure that every state in the last two years that has crafted a security freeze bill has allowed insurer access to frozen credit files. He explained that insurers use credit information to determine risk to determine a rate. In this day of 24/7 access to insurance they want to keep the process as easy and hassle free for the consumer as possible. So, PCI has asked a number of states, including Idaho, Washington and Oregon, to adopt the language they are proposing for Section 45.48.100 in which they define for purposes of a credit freeze a credit report as a consumer report that is accessed for the purpose of determining someone's eligibility for a loan; this would allow other non- lending purposes to go forward even when a freeze is on file. They would seek to repeat that language in the definition section, 45.48.290(5). As for their other amendments, after consulting with Representative Coghill's staff, they determined the current CS is sufficient to allow insurers to treat a consumer fairly if they have a credit freeze and you're not allowed to access their credit reports if they won't lift the freeze. So they will not seek the amendments they previously sought for Section 45.48.130. 3:14:40 PM SENATOR BUNDE agreed that he doubted someone would steal someone else's identity to get lower insurance rates, but he asked if it is possible someone would try to hack an insurance company's files to steal identities and what could they do to prevent that. If it did happen, how would people be notified? MR. BRYNE replied the answer is in the security breach provisions of the bill. Insurers would be treated the same as other entities that are regulated under the legislation. They are not seeking any change in that. The only change is specific to accessing a file that has been frozen at the request of a consumer. He didn't know that any insurance company's files had been hacked, accessed or breached, but if that occurred, insurers would be subject to the same provisions as other institutions under the legislation. While some insurers are regulated under GLB, it depends on the activity; the provisions do not apply the same way to all companies. The protections that have been contemplated for other financial institutions are the same for insurers under the bill. SENATOR BUNDE commented to the representatives of the sponsors if the argument is about state law preempting federal law, they are having an academic exercise. 3:16:44 PM SHEILA CALCALSURE, Information Policy Officer for the Americas, Acxiom Corporation, said Acxiom is an information policy business and providing information solutions to its clients all over the United States that do things like identity authentication. Its tools are permitted under a Gramm-Leach- Bliley permitted use statute of the federal law. She said the outcome of this bill is very important to the way they serve their clients in Alaska and the United States. CHAIR ELLIS thanked everyone for their testimony and said they would continue with the bill at a later meeting. There being no further business to come before the committee, he adjourned the meeting at 3:18:57 PM.