SB 149: "An Act relating to breaches of security involving personal information; and relating to credit report security freezes."
00 SENATE BILL NO. 149 01 "An Act relating to breaches of security involving personal information; and relating to 02 credit report security freezes." 03 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 04 * Section 1. AS 45 is amended by adding a new chapter to read: 05 Chapter 48. Information Security. 06 Article 1. Breach of Security Involving Personal Information. 07 Sec. 45.48.010. Disclosure of breach of security. (a) If a person engages in 08 business activities in the state, uses in the business an information system that includes 09 personal information, and a breach of the security of the system occurs, the person 10 shall, after discovering the breach, disclose the breach to each state resident whose 11 personal information, if unencrypted, was, or is reasonably believed to have been, 12 acquired by an unauthorized person due to the breach. 13 (b) A person shall make the disclosure required by (a) of this section in the 14 most expedient time possible and without unreasonable delay, except as provided in
01 AS 45.48.020 and 45.48.040 and as necessary to determine the scope of the breach 02 and restore the reasonable integrity of the information system. 03 (c) In this section, "business activities" means business activities that provide 04 at least the minimum contacts required by substantive due process for the state to 05 exercise jurisdiction over the person who is engaging in the business activities. 06 Sec. 45.48.020. Notification of law enforcement. A person may delay 07 making the disclosures required by AS 45.48.010 if the Department of Law 08 determines that the disclosures would compromise an investigation by the Department 09 of Law. 10 Sec. 45.48.030. Methods of notice. A person shall make the disclosures 11 required by AS 45.48.010 12 (1) by a written document that is personally delivered or mailed; 13 (2) by electronic means, if the electronic means is allowed under 15 14 U.S.C. 7001 et seq. (Electronic Signatures in Global and National Commerce Act); or 15 (3) if the person demonstrates that the cost of providing notice would 16 exceed $250,000, that the affected class of persons to be notified exceeds 500,000, or 17 that the business does not have sufficient contact information to provide notice, by 18 (A) electronic mail if the business has an electronic mail 19 address for the person; 20 (B) conspicuously posting the disclosure on the Internet site of 21 the person, if the person maintains an Internet site; and 22 (C) providing a notice to major statewide media. 23 Sec. 45.48.040. Exception for disclosure policy. If the person described in 24 AS 45.48.010 maintains for the business disclosure procedures as part of an 25 information security policy for the treatment of personal information, and the timing 26 of disclosures under the policy is consistent with AS 45.48.010(b), the person may 27 make the disclosure required by AS 45.48.010(a) under the disclosure procedures 28 maintained by the person. 29 Sec. 45.48.050. Exception for employees and agents. In AS 45.48.010 - 30 45.48.090, the good faith acquisition of personal information by an employee or agent 31 of the person described in AS 45.48.010 for the purposes of the business is not a
01 breach of the security of the information system, if the employee or agent does not use 02 the personal information for a purpose unrelated to the business and does not make 03 further unauthorized disclosure of the personal information. 04 Sec. 45.48.060. Waivers. A waiver of AS 45.48.010 - 45.48.090 is void and 05 unenforceable. 06 Sec. 45.48.070. Violations. (a) If a person violates AS 45.48.010 - 07 45.48.090, an individual may bring a civil action in court to 08 (1) recover the damages suffered by the individual; 09 (2) enjoin the person from further violations of AS 45.48.010 - 10 45.48.090. 11 (b) If a person violates or proposes to violate AS 45.48.010 - 45.48.090, the 12 state may bring a civil action in court to enjoin the person from violating or continuing 13 to violate AS 45.48.010 - 45.48.090. 14 (c) The rights and remedies available under this section are in addition to any 15 other rights and remedies available under another law. 16 Sec. 45.48.090. Definitions. In AS 45.48.010 - 45.48.090, 17 (1) "breach of the security" means unauthorized acquisition of 18 information that compromises the security, confidentiality, or integrity of personal 19 information maintained by the business; 20 (2) "personal information" means information that is not available to 21 the general public from federal, state, or local government records and that consists of 22 a combination of an individual's first name or first initial, the individual's last name, 23 and one or more of the following information elements, when the name or the 24 information elements are not encrypted: 25 (A) the individual's social security number; 26 (B) the number of the individual's driver's license or state 27 identification card; 28 (C) the combination of the number of the individual's financial 29 institution account, credit card account, or debit card account, and any required 30 security code, access code, or password that permits access to an individual's 31 financial institution account, credit card account, or debit card account;
01 (3) "state resident" means an individual who satisfies the residency 02 requirements under AS 01.10.055. 03 Article 2. Credit Report Security Freezes. 04 Sec. 45.48.100. Security freeze authorized. A consumer may prohibit a 05 credit reporting agency from releasing all or a part of a consumer's credit report or 06 information derived from the credit report without the express authorization of the 07 consumer by placing a security freeze on the consumer's credit report. 08 Sec. 45.48.110. Placement of security freeze. (a) To place a security freeze, 09 a consumer shall 10 (1) make the request to the credit reporting agency by certified mail; 11 and 12 (2) provide the credit reporting agency with proper identification. 13 (b) A credit reporting agency shall place a security freeze within five business 14 days after receiving a request under (a) of this section. 15 Sec. 45.48.120. Confirmation of security freeze. (a) Within 10 business 16 days after a consumer makes the request under AS 45.48.110, a credit reporting 17 agency shall send a written confirmation of the placement of the security freeze to the 18 consumer. 19 (b) At the same time that the credit reporting agency sends a confirmation 20 under (a) of this section, the credit reporting agency shall provide the consumer with a 21 unique personal identification number or password to be used by the consumer when 22 the consumer authorizes the release under AS 45.48.130 of the consumer's credit 23 report or information derived from the report. 24 Sec. 45.48.130. Access and actions during security freeze. (a) While a 25 security freeze is in place, a credit reporting agency shall allow a third party access to 26 a consumer's credit report or information derived from the credit report if the 27 consumer requests that the credit reporting agency allow the access. 28 (b) To make a request under (a) of this section, the consumer shall contact the 29 credit reporting agency, authorize the credit reporting agency to allow the access, and 30 provide the credit reporting agency with 31 (1) proper identification;
01 (2) the unique personal identification number or password provided 02 under AS 45.48.120(b); and 03 (3) the proper information necessary to identify the third party to 04 whom the credit reporting agency may allow the access or the time period during 05 which the credit reporting agency may allow the access to third parties who request 06 the access. 07 (c) A consumer reporting agency that receives a request from a consumer 08 under (b) of this section shall comply with the request within three business days after 09 receiving the request. 10 (d) A credit reporting agency may develop procedures involving the use of 11 telephone, facsimile, or, if the consumer consents under 15 U.S.C. 7001 (Electronic 12 Signatures in Global and National Commerce Act), the Internet or other electronic 13 media to receive and process a request from a consumer under (a) of this section in an 14 expedited manner. 15 (e) If a security freeze is in place, a credit reporting agency may not release 16 the credit report or information derived from the credit report to a third party without 17 the prior express authorization of the consumer. 18 (f) If a security freeze is in place, if a third party applies to a credit reporting 19 agency to provide the third party with access to the consumer's credit report or 20 information derived from the credit report, and if the consumer does not allow access 21 for that specific party or during that specific period of time, the credit reporting agency 22 may treat the third party's application as incomplete. 23 (g) A credit reporting agency shall notify a consumer that a third party has 24 attempted to access the consumer's credit report or information derived from the report 25 if a third party requests a credit reporting agency to provide the third party with access 26 to the credit report or information, a security freeze has been placed, and the purpose 27 of the access is not for the sole purpose of account review. 28 (h) This section is not intended to prevent a credit reporting agency from 29 advising a third party who requests access to a consumer's credit report or information 30 derived from the credit report that a security freeze is in effect. 31 Sec. 45.48.140. Removal of security freeze. (a) Except as provided by
01 AS 45.48.130, a credit reporting agency may not remove a security freeze unless 02 (1) the consumer requests that the credit reporting agency remove the 03 security freeze under (b) of this section; or 04 (2) the consumer made a material misrepresentation of fact to the 05 credit reporting agency when the consumer requested the security freeze under 06 AS 45.48.110; if a credit reporting agency intends to remove a security freeze on a 07 consumer's credit report under this paragraph, the credit reporting agency shall notify 08 the consumer in writing before removing the security freeze. 09 (b) A credit reporting agency shall remove a security freeze placed under 10 (a)(1) of this section within three business days after receiving a request for removal 11 from the consumer who requested the security freeze if the consumer provides proper 12 identification to identify the consumer and the unique personal identification number 13 or password provided by the consumer reporting agency under AS 45.48.120. 14 Sec. 45.48.150. Disclosure of process. If a consumer requests a security 15 freeze under AS 45.48.100, the credit reporting agency shall disclose to the consumer 16 the process under AS 45.48.100 - 45.48.290 of placing a security freeze, allowing 17 access to a third party during a security freeze, and allowing access during a specific 18 period of time during a security freeze. 19 Sec. 45.48.160. Charges. A credit reporting agency may not charge a 20 consumer more than 21 (1) $2 for each time that the consumer places a security freeze under 22 AS 45.48.100 or allows access for a specific person during a security freeze under 23 AS 45.48.130; or 24 (2) $4 for each time that the consumer allows access for a specific 25 period of time under AS 45.48.130. 26 Sec. 45.48.170. Additional identification information. A credit reporting 27 agency may require additional information about the consumer's employment, 28 personal history, and family history in order to verify the consumer's identity only if 29 the consumer is unable to reasonably identify the consumer with proper identification. 30 Sec. 45.48.180. Duties during security freeze. (a) If a security freeze is in 31 place, a credit reporting agency may not change a consumer's name, date of birth,
01 social security number, or address in the consumer's credit report without sending a 02 written confirmation of the change to the consumer within 30 days after the change is 03 posted to the consumer's file. 04 (b) Written confirmation under (a) of this section is not required for a 05 technical modification of a consumer's name, date of birth, social security number, or 06 address, including making or expanding abbreviations, correcting spellings, or 07 correcting transposed numbers or letters. 08 (c) In the case of an address change under (a) of this section, the written 09 confirmation shall be sent to both the new address and the former address. 10 Sec. 45.48.190. Violationsand remedies. (a) A consumer who suffers 11 damages as a result of a person's violation of AS 45.48.100 - 45.48.290 may bring an 12 action in court against the person and recover, in the case of a violation where the 13 person acted 14 (1) negligently, actual damages, including loss of wages, and, when 15 applicable, damages for pain and suffering; 16 (2) knowingly, 17 (A) damages as described in (1) of this subsection; 18 (B) punitive damages that are not less than $100 nor more than 19 $5,000 for each violation as the court determines to be appropriate; and 20 (C) other relief that the court determines to be appropriate. 21 (b) A consumer may bring an action in court against a person for a violation or 22 threatened violation of AS 45.48.100 - 45.48.290 for injunctive relief, whether or 23 not the consumer seeks another remedy under this section. 24 (c) Notwithstanding (a)(2) of this section, a person who knowingly violates 25 AS 45.48.100 - 45.48.290 is liable in a class action for an amount that the court 26 allows. When determining the amount of an award in a class action under this 27 subsection, the court shall consider, among the relevant factors, the amount of any 28 actual damages awarded, the frequency of the violations, the resources of the violator, 29 and the number of consumers adversely affected. 30 (d) In this section, "knowingly" has the meaning given in AS 11.81.900. 31 Sec. 45.48.270. Reports not covered. The provisions of AS 45.48.100 -
01 45.48.290 do not apply to a credit report if the credit report is 02 (1) a report that only contains information relating to transactions or 03 experiences between the consumer and the person making the report; 04 (2) a communication of the information that is described in (1) of this 05 section or that is taken from a credit application by a consumer, if 06 (A) the communication is limited to internal communication 07 within the organization of the person making the report or made to another 08 person who is owned by, or affiliated with, the person making the report; and 09 (B) the consumer is informed by a clear and conspicuous 10 written disclosure that the information contained in the credit application may 11 be communicated as allowed under (A) of this paragraph, except that, if a 12 credit application is taken by telephone, the consumer shall initially be 13 informed orally when the application is taken, and a clear and conspicuous 14 written disclosure shall be made to the consumer in the first written 15 communication to the consumer after the application is taken; 16 (3) an authorization or approval of a specific extension of credit 17 directly or indirectly by the issuer of a credit card or similar device; 18 (4) a report that conveys a person's decision whether to make a specific 19 extension of credit directly or indirectly to a consumer in response to a request by a 20 third party if the third party advises the consumer of the name and address of the 21 person to whom the request was made; 22 (5) a report containing information solely about a consumer's 23 character, general reputation, personal characteristics, or mode of living and the 24 information is obtained through personal interviews with neighbors, friends, or 25 associates of the consumer reported on, or others with whom the consumer is 26 acquainted or who may have knowledge concerning those items of information; or 27 (6) a consumer credit report furnished for use in connection with a 28 transaction that consists of an extension of credit to be used solely for a commercial 29 purpose. 30 Sec. 45.48.280. Exemptions. (a) The provisions of AS 45.48.100 - 45.48.290 31 do not apply to the use of a credit report by
01 (1) a person, if the purpose of the person's use is account review or 02 collection of a financial obligation owing for an account, contract, or negotiable 03 instrument, and the consumer 04 (A) has, or had before an assignment of the account or contract 05 by the person, an account or contract with the person, including a demand 06 deposit account; or 07 (B) issued a negotiable instrument to the person; 08 (2) a subsidiary, an affiliate, an agent, an assignee, or a prospective 09 assignee of a person to whom access has been granted under AS 45.48.130 if the 10 purpose of the use is to facilitate the extension of credit or another permissible use; 11 (3) when acting under a court order, warrant, or subpoena, a state 12 agency, an agency of a political subdivision of the state, a law enforcement agency, a 13 court, or a private debt collection agency; 14 (4) an agency of a state or municipality that administers a program for 15 establishing and enforcing child support obligations; 16 (5) the Department of Health and Social Services, its agents, or its 17 assigns when investigating fraud; 18 (6) the Department of Revenue, its agents, or its assigns when 19 investigating or collecting delinquent taxes or unpaid court orders or when 20 implementing its other statutory responsibilities; 21 (7) a person if the purpose of the use is prescreening allowed under 15 22 U.S.C. 1681 - 1681w (Fair Credit Reporting Act); 23 (8) a person administering a credit file monitoring subscription service 24 to which the consumer has subscribed; 25 (9) a person providing a consumer with a copy of the consumer's credit 26 report at the consumer's request. 27 (b) In (a)(1) of this section, "person" includes the person's subsidiary, affiliate, 28 or agent, an assignee of a financial obligation owed by the consumer to the person, or 29 a prospective assignee of a financial obligation owed by the consumer to the person 30 when in conjunction with the proposed purchase of the financial obligation. 31 Sec. 45.48.290. Definitions. In AS 45.48.100 - 45.48.290,
01 (1) "account review" includes activities related to account 02 maintenance, account monitoring, account credit line increases, and account upgrades 03 and enhancements; 04 (2) "affiliate" meansa corporation that directly, orindirectly through 05 one or more intermediaries, controls, is controlled by, or is under common control 06 with another corporation; in this paragraph, control" means the possession, direct or 07 indirect, of the power to direct or cause the direction of the management and policies 08 of a corporation; 09 (3) "consumer" means an individual; 10 (4) "credit report" means a written, oral, or other communication of 11 information by a credit reporting agency bearing on a consumer's credit worthiness, 12 credit standing, or credit capacity if the communication is used or expected to be used, 13 or collected in whole or in part, to serve as a factor in establishing the consumer's 14 eligibility for 15 (A) credit to be used primarily for personal, family, or 16 household purposes; 17 (B) employment purposes; 18 (C) the rental of a dwelling unit; or 19 (D) any other purpose authorized under section 15 U.S.C. 20 1681b; 21 (5) "credit reporting agency" means a person who, for monetary fees, 22 dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the 23 business of assembling or evaluating consumer credit information or other information 24 on consumers for the purpose of furnishing credit reports to third parties, and these 25 activities provide at least the minimum contacts required by substantive due process 26 for the state to exercise jurisdiction over the person who is engaging in the activities; 27 "credit reporting agency" does not include a governmental agency whose records are 28 maintained primarily for traffic safety, law enforcement, or licensing purposes; 29 (6) "employment purposes" means, when used in connection with a 30 consumer credit report, a report used for the purpose of evaluating a consumer for 31 employment, promotion, reassignment, or retention as an employee;
01 (7) "file" means, when used in connection with information on a 02 consumer, all of the information on that consumer recorded and retained by a credit 03 reporting agency, regardless of how the information is stored; 04 (8) "permissible use" means a permissible use under 15 U.S.C. 1681b; 05 (9) "person" has the meaning given in AS 01.10.060 and includes a 06 governmental body, a governmental subdivision, or a governmental agency; 07 (10) "proper identification" means the information generally 08 considered sufficient to identify a person; 09 (11) "security freeze" means a prohibition against a credit reporting 10 agency from releasing all or a part of a consumer's credit report or information derived 11 from the credit report without the express authorization of the consumer. 12 Article 3. General Provisions. 13 Sec. 45.48.300. Relationship to federal law. If a provision of this chapter is 14 preempted by or conflicts with federal law in a particular situation, the provision does 15 not apply to the extent of the preemption or conflict.