Alaska State Legislature

Home
Bill & Laws
Bills
HB 270 Detail
FullText

txt

HB 270: "An Act relating to breaches of security involving personal information, consumer report security freezes, protection of social security numbers, disposal of records, factual declarations of innocence after identity theft, furnishing consumer credit header information, and filing police reports regarding identity theft; and amending Rule 60, Alaska Rules of Civil Procedure."

00 HOUSE BILL NO. 270 01 "An Act relating to breaches of security involving personal information, consumer 02 report security freezes, protection of social security numbers, disposal of records, factual 03 declarations of innocence after identity theft, furnishing consumer credit header 04 information, and filing police reports regarding identity theft; and amending Rule 60, 05 Alaska Rules of Civil Procedure." 06 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 07 * Section 1. AS 45 is amended by adding a new chapter to read: 08 Chapter 48. Personal Information Protection Act. 09 Article 1. Breach of Security Involving Personal Information. 10 Sec. 45.48.010. Disclosure of breach of security. (a) If a person owns or 11 uses personal information that includes personal information on a state resident, and a 12 breach of the security of the information system containing the personal information 13 occurs, the person shall, after discovering or being notified of the breach, disclose the

01 breach to the state resident, whether or not the personal information has or has not 02 been accessed by an unauthorized third party for legal or illegal purposes. 03 (b) An information collector shall make the disclosure required by (a) of this 04 section in the most expedient time possible and without unreasonable delay, except as 05 provided in AS 45.48.020 and as necessary to determine the scope of the breach and 06 restore the reasonable integrity of the information system. 07 Sec. 45.48.020. Notification of law enforcement. An information collector 08 may delay making the disclosures required by AS 45.48.010 if the Department of Law 09 determines that the disclosures may compromise an investigation by the Department 10 of Law. If the disclosures are delayed under this section, the information collector 11 shall make the disclosures after the Department of Law determines that making the 12 disclosures would not compromise an investigation. 13 Sec. 45.48.030. Methods of notice. An information collector shall make the 14 disclosure required by AS 45.48.010 15 (1) by a written document; 16 (2) by electronic means if making the disclosure by the electronic 17 means is consistent with the provisions regarding electronic records and signatures 18 required for notices legally required to be in writing under 15 U.S.C. 7001 et seq. 19 (Electronic Signatures in Global and National Commerce Act); or 20 (3) if the information collector demonstrates that the cost of providing 21 notice would exceed $250,000, that the affected class of state residents to be notified 22 exceeds 500,000, or that the information collector does not have sufficient contact 23 information to provide notice, by 24 (A) electronic mail if the information collector has an 25 electronic mail address for the state resident; 26 (B) conspicuously posting the disclosure on the Internet 27 website of the information collector if the information collector maintains an 28 Internet site; and 29 (C) providing a notice to major statewide media. 30 Sec. 45.48.040. Exception for employees and agents. In AS 45.48.010 - 31 45.48.090, the good faith acquisition of personal information by an employee or agent

01 of an information collector for a legitimate purpose of the information collector is not 02 a breach of the security of the information system if the employee or agent does not 03 use the personal information for a purpose unrelated to a legitimate purpose of the 04 information collector and does not make further unauthorized disclosure of the 05 personal information. 06 Sec. 45.48.050. Waivers. A waiver of AS 45.48.010 - 45.48.090 is void and 07 unenforceable. 08 Sec. 45.48.060. Violations. (a) If an information collector violates 09 AS 45.48.010 - 45.48.090 with regard to the personal information of an individual, the 10 individual may bring a civil action in court to 11 (1) recover the damages suffered by the state resident; 12 (2) enjoin from further violations of AS 45.48.010 - 45.48.090 an 13 information collector who engages in business and the security breach occurred to the 14 personal information used or owned by the information collector in the business. 15 (b) The rights and remedies available under this section are in addition to any 16 other rights and remedies available under another law. 17 Sec. 45.48.070. Minimum contacts. An information collector is subject to 18 AS 45.48.010 - 45.48.090 if the information collector engages in activities that 19 provide at least the minimum contacts required by substantive due process for the state 20 to exercise jurisdiction over the information collector. 21 Sec. 45.48.090. Definitions. In AS 45.48.010 - 45.48.090, 22 (1) "breach of the security" means unauthorized acquisition of personal 23 information that compromises the security, confidentiality, or integrity of the personal 24 information maintained by the information collector; in this paragraph, "acquisition" 25 includes acquisition by photocopying, facsimile, or other paper-based method; 26 (2) "information collector" means a person who owns or uses personal 27 information in any form if the personal information includes personal information on a 28 state resident; 29 (3) "personal information" means information in any form on an 30 individual, other than, if applicable, the information collector, that is not lawfully 31 available to the general public from federal, state, or local government records and that

01 consists of 02 (A) a combination of an individual's first name or first initial, 03 the individual's last name, and one or more of the following information 04 elements, when the name or the information elements are not encrypted or 05 redacted: 06 (i) the individual's social security number; 07 (ii) the number of the individual's driver's license or 08 state identification card; 09 (iii) the individual's account number, credit card 10 account number or debit card account number if the number does not 11 require additional identifying information, access codes, or passwords 12 for use; 13 (iv) account passwords or personal identification 14 numbers or other access codes; 15 (B) an item listed in (A)(i) - (iv) of this paragraph if the item 16 would be sufficient to engage in or attempt to engage in the theft of an 17 individual's identity. 18 Article 2. Consumer Report Security Freeze. 19 Sec. 45.48.100. Security freeze authorized. A consumer may prohibit a 20 consumer reporting agency from releasing all or a part of the consumer's consumer 21 report or information derived from the consumer report without the express 22 authorization of the consumer by placing a security freeze on the consumer's consumer 23 report. 24 Sec. 45.48.110. Placement of security freeze. (a) To place a security freeze, 25 a consumer shall make the request to the consumer reporting agency 26 (1) by certified mail; 27 (2) by telephone if the consumer provides the consumer reporting 28 agency with certain personal identification; or 29 (3) through a secure electronic mail connection if the consumer 30 reporting agency makes a secure electronic mail connection available to the consumer. 31 (b) A consumer reporting agency shall place a security freeze within five

01 business days after receiving a request under (a)(1) or (2) of this section and within 02 three business days after receiving a request under (a)(3) of this section. 03 Sec. 45.48.120. Confirmation of security freeze. (a) Within five business 04 days after a consumer makes the request under AS 45.48.110, a consumer reporting 05 agency shall send a written confirmation of the placement of the security freeze to the 06 consumer. 07 (b) At the same time that the consumer reporting agency sends a confirmation 08 under (a) of this section, the consumer reporting agency shall provide the consumer 09 with a unique personal identification number or password to be used by the consumer 10 when the consumer authorizes the release of the consumer's consumer report or 11 information derived from the report under AS 45.48.130. 12 Sec. 45.48.130. Access and actions during security freeze. (a) While a 13 security freeze is in place, a consumer reporting agency shall allow a third party access 14 to a consumer's consumer report or information derived from the consumer report if 15 the consumer requests that the consumer reporting agency allow the access. 16 (b) To make a request under (a) of this section, the consumer shall contact the 17 consumer reporting agency by telephone, certified mail, or secure electronic mail 18 connection, authorize the consumer reporting agency to allow the access, and provide 19 the consumer reporting agency with 20 (1) proper identification to verify the consumer's identity; 21 (2) the unique personal identification number or password provided 22 under AS 45.48.120(b); and 23 (3) the proper information necessary to identify the third party to 24 whom the consumer reporting agency may allow the access or the time period during 25 which the consumer reporting agency may allow the access to third parties who 26 request the access. 27 (c) A consumer reporting agency that receives a request from a consumer 28 under (b) of this section shall comply with the request within three business days after 29 receiving the request. 30 (d) If a security freeze is in place, a consumer reporting agency may not 31 release the consumer report or information derived from the consumer report to a third

01 party without the prior express authorization of the consumer. 02 (e) If a security freeze is in place on a consumer's consumer report and 03 information derived from the consumer report and if a third party applies to a 04 consumer reporting agency to provide the third party with access to the consumer's 05 consumer report or information derived from the consumer report, the consumer 06 reporting agency may treat the third party's application as incomplete unless the 07 consumer authorizes the access under (a) of this section. 08 (f) A consumer reporting agency shall notify a consumer that a third party has 09 attempted to access the consumer's consumer report or information derived from the 10 report if a third party requests a consumer reporting agency to provide the third party 11 with access to the consumer report or information, a security freeze has been placed, 12 and the purpose of the access is not for the sole purpose of account review. 13 (g) This section is not intended to prevent a consumer reporting agency from 14 advising a third party that requests access to a consumer's consumer report or 15 information derived from the consumer report that a security freeze is in effect. 16 (h) The procedures used by a consumer reporting agency for implementing the 17 provisions of this section may include the use of telephone, facsimile, or electronic 18 means if making the disclosure by the electronic means is consistent with the 19 provisions regarding electronic records and signatures required for notices legally 20 required to be in writing under 15 U.S.C. 7001 et seq. (Electronic Signatures in Global 21 and National Commerce Act), Internet, electronic mail, or another electronic method. 22 Sec. 45.48.140. Removal of security freeze. (a) Except as provided by 23 AS 45.48.130, a consumer reporting agency may not remove a security freeze unless 24 (1) the consumer requests that the consumer reporting agency remove 25 the security freeze under (b) of this section; or 26 (2) the consumer made a material misrepresentation of fact to the 27 consumer reporting agency when the consumer requested the security freeze under 28 AS 45.48.110; if a consumer reporting agency intends to remove a security freeze on a 29 consumer's consumer report under this paragraph, the consumer reporting agency shall 30 notify the consumer in writing five business days before removing the security freeze. 31 (b) A consumer reporting agency shall remove a security freeze within three

01 business days after receiving a request for removal from the consumer who requested 02 the security freeze if the consumer provides proper identification to identify the 03 consumer and the unique personal identification number or password provided by the 04 consumer reporting agency under AS 45.48.120. 05 Sec. 45.48.150. Prohibition. When dealing with a third party, a consumer 06 reporting agency may not suggest, state, or imply that a consumer's security freeze 07 reflects a negative credit score, history, report, or rating. 08 Sec. 45.48.160. Charges. (a) Except as provided by (b) of this section, a 09 consumer reporting agency may not charge a consumer to place or remove a security 10 freeze, to provide access under AS 45.48.130, or to take any other action, including 11 the issuance of a personal identification number or password under AS 45.48.120, that 12 is related to the placement of, removal of, or allowing access to a consumer report or 13 information derived from a consumer report on which a security freeze has been 14 placed. 15 (b) If a consumer fails to retain a personal identification number or password 16 issued under AS 45.48.120, a consumer reporting agency may charge the consumer up 17 to $5 for each time after the first time that the consumer reporting agency issues the 18 consumer another personal identification number or password because the consumer 19 failed to retain the personal identification number or password. 20 Sec. 45.48.170. Notice of rights. When a consumer reporting agency is 21 required to give a consumer a summary of rights under 15 U.S.C. 1681g (Fair Credit 22 Reporting Act), a consumer reporting agency shall also give the consumer the 23 following notice: 24 Consumers Have the Right to Obtain a Security Freeze 25 You may obtain a security freeze on your consumer report at no charge 26 to protect your privacy and ensure that credit is not granted in your name 27 without your knowledge. You have a right to place a "security freeze" on your 28 consumer report under state law (AS 45.48.100 - 45.48.290). 29 The security freeze will prohibit a consumer reporting agency from 30 releasing any information in your consumer report without your express 31 authorization or approval.

01 The security freeze is designed to prevent credit, loans, and other 02 services from being approved in your name without your consent. When you 03 place a security freeze on your consumer report, within five business days you 04 will be provided a personal identification number or password to use if you 05 choose to remove the freeze on your consumer report or to temporarily 06 authorize the release of your consumer report to a specific third party or 07 specific third parties or for a specific period of time after the freeze is in place. 08 To provide that authorization, you must contact the consumer reporting agency 09 and provide all of the following: 10 (1) proper identification to verify your identity; 11 (2) the personal identification number or password 12 provided by the consumer reporting agency; 13 (3) proper information necessary to identify the third 14 party or third parties who are authorized to receive the consumer report 15 or the specific period of time for which the report is to be available to 16 third parties. 17 A consumer reporting agency that receives your request to temporarily 18 lift a freeze on a consumer report is required to comply with the request not 19 later than three business days after receiving your request. 20 A security freeze does not apply to circumstances where you have an 21 existing account relationship and a copy of your report is requested by your 22 existing creditor or its agents or affiliates for certain types of account review, 23 collection, fraud control, or similar activities. 24 If you are actively seeking credit, you should understand that the 25 procedures involved in lifting a security freeze may slow your own 26 applications for credit. You should plan ahead and lift a freeze, either 27 completely if you are shopping around, or specifically for a certain creditor, a 28 few days before actually applying for new credit. 29 You have a right to bring a civil action against someone who violates 30 your rights under these laws on security freezes. The action can be brought 31 against a consumer reporting agency or a user of your consumer report.

01 Sec. 45.48.180. Notification after violation. If a consumer reporting agency 02 violates a security freeze by releasing a consumer's consumer report or information 03 derived from the consumer report, the consumer reporting agency shall notify the 04 consumer within five business days after the release, and the information in the notice 05 must include an identification of the information released and of the third party who 06 received the information. 07 Sec. 45.48.190. Violations, remedies, and penalties. (a) If a consumer 08 reporting agency violates a security freeze, including a violation caused by accident, 09 by releasing a consumer's consumer report or information derived from the consumer 10 report, the consumer may 11 (1) file a complaint with the Department of Law; 12 (2) file a civil action in court against the consumer reporting agency 13 and receive 14 (A) injunctive relief to prevent or restrain further violation of 15 the security freeze; 16 (B) a civil penalty in an amount not to exceed $10,000 for each 17 violation, any damages available under other civil laws, and court costs and 18 attorney fees as allowed by the rules of court. 19 (b) Each violation of AS 45.48.100 - 45.48.290 is a separate violation for 20 purposes of imposing a penalty under (a)(2)(B) of this section. 21 Sec. 45.48.200. Minimum contacts. A consumer reporting agency is subject 22 to AS 45.48.100 - 45.48.290 if the consumer reporting agency engages in activities 23 that provide at least the minimum contacts required by substantive due process for the 24 state to exercise jurisdiction over the consumer reporting agency. 25 Sec. 45.48.210. Exemptions. (a) The provisions of AS 45.48.100 - 45.48.290 26 do not apply to the use of a consumer report by 27 (1) a person, the person's subsidiary, affiliate, or agent, or the person's 28 assignee with whom a consumer has or, before the assignment, had an account, 29 contract, or debtor-creditor relationship if the purpose of the use is to review the 30 consumer's account or to collect a financial obligation owing on the account, contract, 31 or debt;

01 (2) a subsidiary, an affiliate, an agent, an assignee, or a prospective 02 assignee of a person to whom access has been granted under AS 45.48.130 if the 03 purpose of the use is to facilitate the extension of credit or another permissible use; 04 (3) a person acting under a court order, warrant, or subpoena; 05 (4) an agency of a state or municipality that administers a program for 06 establishing and enforcing child support obligations; 07 (5) the Department of Health and Social Services, its agents, or its 08 assigns when investigating fraud; 09 (6) the Department of Revenue, its agents, or its assigns when 10 investigating or collecting delinquent taxes or unpaid court orders or when 11 implementing its other statutory responsibilities; 12 (7) a person if the purpose of the use is prescreening allowed under 15 13 U.S.C. 1681 - 1681w (Fair Credit Reporting Act); 14 (8) a person administering a credit file monitoring subscription service 15 to which the consumer has subscribed; 16 (9) a person providing a consumer with a copy of the consumer's 17 consumer report at the consumer's request. 18 (b) Notwithstanding another provision of AS 45.48.100 - 45.48.290 to the 19 contrary, AS 45.48.100 - 45.48.290 may not be interpreted to apply to the exchange of 20 information among persons who are affiliated by common ownership or common 21 corporate control. 22 Sec. 45.48.290. Definitions. In AS 45.48.100 - 45.48.290, 23 (1) "account review" means activities related to account maintenance, 24 account monitoring, credit line increases, and account upgrades and enhancements; 25 (2) "consumer" means an individual who is the subject of a consumer 26 report; 27 (3) "security freeze" means a prohibition against a consumer reporting 28 agency from releasing all or a part of a consumer's consumer report or information 29 derived from the consumer report without the express authorization of the consumer; 30 (4) "third party" means a person who is not 31 (A) the consumer who is the subject of the consumer's

01 consumer report; or 02 (B) the consumer reporting agency that is holding the 03 consumer's consumer report. 04 Article 3. Protection of Social Security Number. 05 Sec. 45.48.300. Use of social security number. (a) A person may not, 06 without the consent of the individual, 07 (1) intentionally communicate or otherwise make available to the 08 general public an individual's social security number; 09 (2) print an individual's social security number on a card required for 10 the individual to access products or services provided by the person; 11 (3) require an individual to transmit the individual's social security 12 number over the Internet unless the Internet connection is secure or the social security 13 number is encrypted; 14 (4) require an individual to use the individual's social security number 15 to access an Internet site unless a password, a unique personal identification number, 16 or another authentication device is also required in order to access the site; 17 (5) print an individual's social security number on materials that are 18 mailed to the individual, unless state or federal law requires the social security number 19 to be on the material; 20 (6) refuse to do business with an individual because the individual 21 does not consent to the receipt by the person of the social security number of the 22 individual, unless the person is expressly required under federal law, in connection 23 with doing business with an individual, to submit the individual's social security 24 number to the federal government. 25 (b) A person may not sell, lease, loan, trade, rent, or otherwise disclose an 26 individual's social security number to a third party for any purpose without the 27 individual's written consent. 28 Sec. 45.48.310. Penalties. (a) A person who knowingly violates 29 AS 45.48.300 is liable to the state for a civil penalty not to exceed $3,000. 30 (b) An individual may bring a civil action in court against a person who 31 knowingly violates AS 45.48.300 and may recover actual damages or $5,000,

01 whichever amount is greater, and court costs and attorney fees allowed by the rules of 02 court. 03 (c) A person who knowingly violates AS 45.48.300 is guilty of a class A 04 misdemeanor. 05 (d) In this section, "knowingly" has the meaning given in AS 11.81.900. 06 Article 4. Disposal of Records. 07 Sec. 45.48.400. Disposal of records. A business shall take, in connection 08 with and after the disposal of the records, all reasonable measures necessary to protect 09 against unauthorized access to or use of the records of the business that contain 10 personal information. 11 Sec. 45.48.410. Measures to protect access. The measures required to be 12 taken under AS 45.48.400 include 13 (1) implementing and monitoring compliance with policies and 14 procedures that require the burning, pulverizing, or shredding of paper documents 15 containing personal information so that the personal information cannot practicably be 16 read or reconstructed; 17 (2) implementing and monitoring compliance with policies and 18 procedures that require the destruction or erasure of electronic media and other 19 nonpaper media containing personal information so that the personal information 20 cannot practicably be read or reconstructed; 21 (3) after due diligence, entering into a written contract with a third 22 party engaged in the business of record destruction to dispose of records containing 23 personal information in a manner consistent with this statute, and monitoring with due 24 diligence the third party's compliance with the contract; 25 (4) implementing and monitoring, with regard to a third party hired 26 under (3) of this section to dispose of records containing personal information, the 27 third party's compliance with policies and procedures that protect against unauthorized 28 access to or use of personal information during or after the collection, transportation, 29 and disposal of the records under (1) and (2) of this section. 30 Sec. 45.48.420. Due diligence. In AS 45.48.410(3), due diligence ordinarily 31 includes performing one or more of the following:

01 (1) reviewing an independent audit of the third party's operations and 02 its compliance with AS 45.48.400 - 45.48.490; 03 (2) obtaining information about the third party from several references 04 or other reliable sources and requiring that the third party be certified by a recognized 05 trade association or similar organization with a reputation for high standards of quality 06 review; 07 (3) reviewing and evaluating the third party's information security 08 policies and procedures, or taking other appropriate measures to determine the 09 competency and integrity of the third party. 10 Sec. 45.48.430. Business policy and procedures. A business shall 11 comprehensively describe and classify as the business's official policy in the writings 12 of the business the policies and procedures that relate to the adequate destruction and 13 proper disposal of personal records. In this section, "writings" includes corporate 14 handbooks, employee handbooks, and similar corporate documents. 15 Sec. 45.48.440. Civil penalty. An individual or a business that knowingly 16 violates AS 45.48.400 - 45.48.490 is liable to the state for a civil penalty not to exceed 17 $3,000. In this section, "knowingly" has the meaning given in AS 11.81.900. 18 Sec. 45.48.450. Court action. An individual who is damaged by a violation 19 of AS 45.48.400 - 45.48.490 may bring a civil action in court to enjoin further 20 violations and to recover damages for the violation and court costs and attorney fees 21 allowed by the rules of court. 22 Sec. 45.48.490. Definitions. In AS 45.48.400 - 45.48.490, 23 (1) "business" means a person who conducts business in the state or a 24 person who conducts business and maintains or otherwise possesses personal 25 information on state residents; in this paragraph, 26 (A) "conducts business" includes engaging in activities as a 27 financial institution organized, chartered, or holding a license or authorization 28 certificate under the laws of this state, another state, the United States, or 29 another country; 30 (B) "possesses" includes possession for the purpose of 31 destruction;

01 (2) "dispose" means 02 (A) the discarding or abandonment of records containing 03 personal information; 04 (B) the sale, donation, discarding, or transfer of 05 (i) any medium, including computer equipment or 06 computer media, that contains records of personal information; 07 (ii) nonpaper media, other than that identified under (i) 08 of this subparagraph, on which records of personal information are 09 stored; and 10 (iii) equipment for nonpaper storage of information; 11 (3) "personal information" means information that identifies, relates to, 12 describes, or is capable of being associated with a particular individual, and includes a 13 name, signature, social security number, fingerprint, photograph, computerized image, 14 physical characteristic, physical description, address, telephone number, passport 15 number, driver's license, state identification number, date of birth, medical 16 information, bank account number, credit card number, debit card number, and 17 financial information; 18 (4) "records" means material on which information that is written, 19 drawn, spoken, visual, or electromagnetic is recorded or preserved, regardless of 20 physical form or characteristics, but does not include publicly available directories 21 containing names, addresses, telephone numbers, or other information an individual 22 has voluntarily consented to have publicly disseminated or listed. 23 Article 5. Factual Declaration of Innocence after Identity Theft. 24 Sec. 45.48.500. Factual declaration of innocence after identity theft. (a) 25 A victim of identity theft may petition the superior court for a determination that the 26 victim is factually innocent of a crime if 27 (1) the perpetrator of the identity theft was arrested for, cited for, or 28 convicted of the crime using the victim's identity; 29 (2) a criminal complaint has been filed against the perpetrator in the 30 victim's name; or 31 (3) the victim's identity has been mistakenly associated with a record

01 of a conviction for a crime. 02 (b) In addition to a petition by a victim under (a) of this section, the 03 department may petition the superior court for a determination under (a) of this 04 section, or the superior court may, on its own motion, make a determination under (a) 05 of this section. 06 Sec. 45.48.510. Basis for determination. A determination of factual 07 innocence under AS 45.48.500 may be heard and made on declarations, affidavits, 08 police reports, or other material, relevant, and reliable information submitted by the 09 parties or ordered to be made a part of the record by the court. 10 Sec. 45.48.520. Criteria for determination; court order. (a) A court shall 11 determine that a victim is factually innocent of a crime if the court finds that the 12 petition or motion brought under AS 45.48.500 is meritorious and that 13 (1) there is not a reasonable cause to believe that the victim committed 14 the crime for which the perpetrator of the identity theft was arrested, cited, convicted, 15 or subject to a criminal complaint in the victim's name; or 16 (2) the victim's identity has been mistakenly associated with a record 17 of a conviction of a crime. 18 (b) If a court finds under this section that the victim is factually innocent of a 19 crime, the court shall issue an order indicating this determination of factual innocence 20 and shall provide the victim with a copy of the order. 21 Sec. 45.48.530. Orders regarding records. After a court issues an order 22 under AS 45.48.520, the court may order the name and associated personal 23 information of the victim that is contained in the files, indexes, and other records of 24 the court that are accessible by the public deleted, sealed, or labeled to show that the 25 name and personal information is impersonated and does not reflect the defendant's 26 identity. 27 Sec. 45.48.540. Vacation of determination. A court that has issued an order 28 under AS 45.48.520 may, at any time, vacate the order if the petition or motion, or any 29 information submitted in support of the petition or motion, is found to contain a 30 material misrepresentation or fraudulent material. 31 Sec. 45.48.550. Court form. The supreme court of the state may develop a

01 form to be used for the order under AS 45.48.520. 02 Sec. 45.48.560. Data base. The department may establish and maintain a data 03 base of individuals who have been victims of identity theft and who have received an 04 order under AS 45.48.520. The department shall provide a victim or the victim's 05 authorized representative access to a data base established under this section in order 06 to establish that the individual has been a victim of identity theft. Access to the a data 07 base established under this section is limited to criminal justice agencies, victims of 08 identity theft, and individuals and agencies authorized by the victims. 09 Sec. 45.48.570. Toll-free telephone number. The department may establish 10 and maintain a toll-free telephone number to provide access to information in a data 11 base established under AS 45.48.560. 12 Sec. 45.48.590. Definitions. In AS 45.48.500 - 45.48.590, 13 (1) "crime" has the meaning given in AS 11.81.900; 14 (2) "department" means the Department of Law; 15 (3) "identity theft" means the theft of the identity of an individual; 16 (4) "perpetrator" means the person who perpetrated the theft of an 17 individual's identity; 18 (5) "victim" means an individual who is the victim of identity theft. 19 Article 7. Miscellaneous Provisions. 20 Sec. 45.48.800. Consumer credit header information. (a) A consumer 21 reporting agency may not furnish by a written, an oral, or another method of 22 communication a consumer's credit header information to a person unless the person 23 has a permissible purpose under 15 U.S.C. 1681b (Fair Credit Protection Act) to 24 obtain the consumer's consumer report. 25 (b) In this section, "credit header information" means the social security 26 number of a consumer, or a derivative of the social security number, the maiden name 27 of the mother of the consumer, the birth date of the consumer, and other personally 28 identifiable information of a consumer that is derived from nonpublic personal 29 information, except the name, address, and telephone number of the consumer listed in 30 a residential telephone directory available in the locality of the consumer. 31 Sec. 45.48.810. Right to file police report regarding identity theft. (a)

01 Even if the local law enforcement agency does not have jurisdiction over the theft of 02 an individual's identity, if an individual who has learned or reasonably suspects the 03 individual has been the victim of identity theft contacts, for the purpose of filing a 04 complaint, a local law enforcement agency that has jurisdiction over the individual's 05 actual place of residence, the local law enforcement agency shall make a report of the 06 matter and provide the individual with a copy of the report. The local law 07 enforcement agency may refer the matter to a law enforcement agency in a different 08 jurisdiction. 09 (b) This section is not intended to interfere with the discretion of a local law 10 enforcement agency to allocate its resources to the investigation of crime. A local law 11 enforcement agency is not required to count a complaint filed under (a) of this section 12 as an open case for purposes that include compiling statistics on its open cases. 13 Article 8. General Provisions. 14 Sec. 45.48.900. Relationship to federal law. If a provision of this chapter is 15 preempted by or conflicts with federal law in a particular situation, the provision does 16 not apply to the extent of the preemption or conflict. 17 Sec. 45.48.990. Definitions. In this chapter, unless the context indicates 18 otherwise, 19 (1) "consumer" means an individual; 20 (2) "consumer report" means a written, oral, or other communication 21 of information by a consumer reporting agency bearing on a consumer's credit 22 worthiness, credit standing, credit capacity, character, general reputation, personal 23 characteristics, or mode of living if the communication is used or expected to be used 24 or collected in whole or in part to serve as a factor in establishing the consumer's 25 eligibility for 26 (A) credit or insurance to be used primarily for personal, 27 family, or household purposes; 28 (B) employment purposes; or 29 (C) any other permissible purpose authorized under section 15 30 U.S.C. 1681b; 31 (3) "consumer reporting agency" means a person who, for monetary

01 fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in 02 the practice of assembling or evaluating consumer credit information or other 03 information on consumers for the purpose of furnishing consumer reports to third 04 parties; 05 (4) "person" has the meaning given in AS 01.10.060 and includes a 06 state or local governmental agency, except for an agency of the judicial branch; 07 (5) "state resident" means an individual who satisfies the residency 08 requirements under AS 01.10.055. 09 Sec. 45.48.995. Short title. This chapter may be cited as the Alaska Personal 10 Information Protection Act. 11 * Sec. 2. The uncodified law of the State of Alaska is amended by adding a new section to 12 read: 13 INDIRECT COURT RULE AMENDMENT. AS 45.48.540, enacted by sec. 1 of this 14 Act, has the effect of changing Rule 60(b), Alaska Rules of Civil Procedure, by allowing a 15 court to vacate an order on its own motion and at any time and by establishing a specific 16 criterion for vacating the order under AS 45.48.540. 17 * Sec. 3. The uncodified law of the State of Alaska is amended by adding a new section to 18 read: 19 TRANSITION: IMPLEMENTATION. A person to whom AS 45.48.300 and 20 45.48.310, enacted by sec. 1 of this Act, apply shall make reasonable efforts to cooperate, 21 through systems testing and other means, to ensure that the requirements of AS 45.48.300 and 22 45.48.310 are implemented on or before the effective date of AS 45.48.300 and 45.48.310.