Legislature(2007 - 2008)HOUSE FINANCE 519
02/13/2008 01:30 PM House FINANCE
| Audio | Topic |
|---|---|
| Start | |
| HB325 | |
| HB285 | |
| HB65 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| + | HB 325 | TELECONFERENCED | |
| + | HB 285 | TELECONFERENCED | |
| += | HB 65 | TELECONFERENCED | |
| + | TELECONFERENCED |
HOUSE BILL NO. 65
"An Act relating to breaches of security involving
personal information, credit report and credit score
security freezes, consumer credit monitoring, credit
accuracy, protection of social security numbers, care
of records, disposal of records, identity theft,
furnishing consumer credit header information, credit
cards, and debit cards, and to the jurisdiction of the
office of administrative hearings; amending Rule 60,
Alaska Rules of Civil Procedure; and providing for an
effective date."
Vice-Chair Stoltze MOVED to ADOPT work draft 25-LS0311\L,
Bannister, 2/4/08. There being NO OBJECTION, it was adopted.
Representative Nelson asked if the Committee would be
addressing amendments.
AT EASE: 2:59:09 PM
RECONVENE: 3:00:14 PM
3:00:17 PM
REPRESENTATIVE JOHN COGHILL, SPONSOR, provided an overview
of the working sectional for House Finance on proposed
changes to HB 65 (On File).
Title: Insert disclosure of permanent fund
dividend applicant records on line 5 after
administrative hearings.
Section 1 AS 40.21.110 Care of records - this
sets out the ownership of public records and
how they are to be managed from creation to
disposal.
Section 2 AS 43.23.017 relates to the
confidentiality of information on each
permanent fund dividend application.
Section 3 AS 43.23.017 allows disclosure of
the non-confidential applicant information to
a business that is licensed under AS
43.70.020.
Section 4 AS 44.64.030(a) adds a new
paragraph (35) AS 45.48.080(c) which is part
of the new Chapter 48 Personal Information
Protection Act.
Section 5 AS 45 is amended by adding a new
chapter Personal Information Protection Act.
This new chapter contains a total of seven
(7) Articles with individual sections.
Article 1.
Breach of Security
Involving Personal Information
Sec. 45.48.010 Disclosure of breach of
security
Describes what a covered person who owns or
[uses] licenses personal information must do
in case of a breach of information.
This change makes it clear a covered person
that owns or licenses information is
responsible for disclosure and notification
in case of a breach. Covered is described in
Sec. 45.48.090 Definitions - to bring
conformity to the meaning of person
throughout Article 1.
Sec. 45.48.020 Allowable delay in
notification
Describes reasons for delaying notification
of a breach of information.
Sec. 45.48.030 Methods of notice
Describes the methods to be used to notify a
person that there has been a breach of
information. Lists exceptions to the methods
of notification relating to cost and number
of consumers to be notified.
Sec. 45.48.040 Notification of certain other
agencies
Describes when it is necessary to notify
other consumer reporting agencies about a
breach. There are exceptions to these
requirements are also set out.
Sec. 45.48.050 Exception for employees and
agents
Lists exceptions for acquisition of personal
information by an employee or agent of an
information collector.
Sec. 45.48.060 Waivers
No waivers of these sections are allowed.
Sec. 45.48.070 Treatment of certain breaches
A breach of information by an information
recipient must be reported to the information
distributor so they can comply with the
notification requirements if the breach
occurred to an information system maintained
by the information distributor.
Sec. 45.48.080 Violations
Sets out fines for violations of 45.48.010-
45.48.090 by a governmental agency that is an
information collector, and information
collectors who are not governmental agencies.
Defines "governmental agency".
Sec. 45.48.090 Definitions
Defines the following terms:
(1)breach of the security;
(2) ["information collector"]
is replaced with: "covered person"
means a
(A) person doing business;
(B) a governmental agency; or
(C) a person with more than 10 employees
This new subsection (2) describes "covered
person" and replaces information collector
throughout Article l.
(3) "governmental agency" means a state or
local governmental agency, except for an
agency of the judicial branch.
New definition because "governmental agency"
is included in "covered person" it needs to
be defined.
(4) "information collector" means a covered
person who owns or licenses personal
information in any form if the personal
information includes personal information on
a state resident.
Changes in definition of "information
collector" include "covered person" which is
described in (2) above.
New subsection:
(7) "personal information"
Page 7, Line 23: Delete [address, or
telephone number] after individuals name.
Address and telephone number are deleted
because this information is readily available
in public records.
Page 7, Line 31 to
Page 8, Lines 1 - 7 Add (iii) except as
provided in (iv) of this subparagraph, the
individual's account number, credit card
number, or debit card number;
(iv) if an account can only be accessed with
a personal code, the number in (iii) of this
subparagraph and the personal code; in this
sub-subparagraph, "personal code" means a
security code, an access code, a personal
identification number, or a passwork;
(v) passwords, personal identification
numbers, or other access codes for financial
accounts.
These changes were made to make it clear what
information and combinations of information
is considered personal information. The
combination of numbers, codes, cards, etc. if
breached would be cause for notification to
an individual. Adding in access codes and
PIN numbers, tightened down the requirement
on information breach notification
requirements.
Article 2.
Credit Report
and Credit Score Security Freeze
Sec. 45.48.100 Security freeze authorized
Rights of consumers to prohibit release of
their personal information.
Sec. 45.48.110 Placement of security freeze
(a)(1) by [certified] mail
Sets out procedures for a consumer to request
a consumer credit reporting agency to freeze
their information.
Page 8, Line 15 Remove requirement that
request for freeze be made by certified mail.
Sec. 45.48.120 Confirmation of security
freeze
Describes the responsibility of the consumer
credit reporting agency to notify the
consumer when a security freeze has been
placed.
Sec. 45.48.130 Access and actions during
security freeze
Describes how a consumer can allow access to
their information by a third party when a
security freeze is in place; timeframe for
the consumer credit reporting agency to
respond, how an insurer is to treat a
consumer's application if a security freeze
prevents access to the consumer's
information, and what changes are allowed
when a security freeze is in place, and
notification requirements. Defines "official
information" and "technical change".
Page 9, Line 27, 28 (d) [immediately] to 15
minutes;
Change from immediately to 15 minutes was a
more reasonable response time.
Sec. 45.48.140 Removal of security freeze
Sets out procedure for removing a security
freeze, how the request for the freeze is to
be made, how the consumer credit reporting
agency shall respond, and what identifiers
are necessary to remove the freeze.
Page 11, Line 22 (b) [immediately] to within
three days.
Change from immediately to within three days
was a more reasonable response time.
Sec. 45.48.150 Prohibition
Sets out guidelines for reporting to third
parties when a security freeze is in place.
Sec. 45.48.160 Charges
Charges to a consumer regarding security
freezes.
Sec. 45.48.170 Notice of rights
Additional notices to be given when a
consumer is provided a summary of rights
under the Fair Credit Reporting Act (FCRA).
Caution is given that a security freeze may
prohibit the timely approval of subsequent
requests or transactions.
Page 13, [rental housing, employment, an
investment, a license, a digital signature]
Page 14, Line 17 Internet credit card
[transaction] application, an extension of
credit at point of sale, and other items and
services.
Specific items were deleted because they are
exceptions to a security freeze in other
sections. Application was substituted for
transaction for clarification that a freeze
does not stop a person from making purchases
with their card.
This section also advises the individual that
there may be charges for lifting a freeze
after the person has used their two free
lifts.
Page 14 - Lines 9 - 11 [Under some
circumstances] After the first two requests
in a year the consumer credit reporting
agency may charge you $2 to temporarily lift
the freeze. This change lets an individual
know that the CRA may charge $2 to lift a
freeze after the 2 free lifts. Deleted
"Under some circumstances to remove ambiguity
of when the charges might be applied, but
gives the CRA some latitude as to whether or
not they want to charge for additional lifts.
Sec. 45.48.180 Notification after violation
Describes the notice required if a consumer
credit reporting agency violates a security
freeze. The timeframe to report the violation
is within five business days after:
Page 14, Line 28 insert discovering the
release.
Inserted the word discovering for
clarification that a violation may have
occurred but until it is discovered he CRA
can not be expected to give notice.
Sec. 45.48.190 Resellers
Requires that a consumer credit reporting
agency acting as a reseller honor a security
freeze that is placed by another consumer
reporting agency.
Sec. 45.48.200 Violations and penalties
Describes the rights of a consumer who
suffers damages as a result of a breach of
their personal information.
Page 15, Lines 7 - 10 [actual damages,
including loss of wages, and when applicable,
damages for pain and suffering;] may recover
actual economic damages, court costs allowed
by the rules of court, and full reasonable
attorney fees.
These changes reflect the penalties allowed
throughout the Act. The individual has the
right to recover actual economic damages,
court costs and attorney fees.
Sec. 45.48.210 Exemptions
Lists exemptions to the use of credit
information when a security freeze is in
place. The exceptions in
Page 16, Line 26 (b) do not apply to a person
[who acts] when acting only as a reseller of
consumer information.
A person may wear many "information" hats.
This change makes it clear that exemptions do
not apply when a person is acting as a
reseller, which is narrower than who acts.
Sec. 45.48.290 Definitions
Defines the following terms: account review;
consumer; consumer credit reporting agency;
reseller of consumer information; security
freeze; third party.
Article 3.
Protection of Social Security Number
Sec. 45.48.400 Use of social security number
Sets out guidelines for handling a person's
social security number.
Sec. 45.48.410 Request and collection
Sets out prohibitions and exemptions for
requesting or collecting an individual's
social security number.
(b)(1) if the person is expressly authorized
by local, state, or federal law, including a
regulation adopted under AS 45.48.470, to
demand proof of the individual's social
Security number, to
Page 18, Line 26 request or collect the
individual's social security number
(5) if the request or collection is for a
background check on the individual, law
enforcement
Page 19, Line 12 or other government purposes
or the individual's
(6) if the
Page 19, Line 14 [disclosure] request or
collection does not have independent economic
value,
The changes shown above protect those
individuals required to collect a social
security number. Disclosure is deleted as
this section is not dealing with disclosure
of SSN.
Sec. 45.48.420 Sale, lease, loan, trade, or
rental
Prohibitions and exemptions regarding third
party use of social security numbers.
Page 19, Lines 27 - 29 (c) Nothing in this
section prevents a business from transferring
social security numbers to another person if
the transfer is part of the sale or other
transfer of the business to the other person.
This new subsection allows the sale or
transfer of a business that owns or possesses
social security numbers.
Sec. 45.48.430 Disclosure
Prohibitions and exemptions regarding
disclosure of social security numbers to
third parties.
(b)(5) the disclosure is for a background
check on the individual, law enforcement
Page 20, Line 21 or other government purposes
or the individual's employment, including
employment benefits.
Or other government is included for
consistency with Sec. 45.48.410 and for
protection when performing duties that
include disclosure.
Sec. 45.48.440 Interagency disclosure
Describes when and to whom disclosure is
authorized.
Sec. 45.48.450 Exception for employees,
agents, & independent contractors
Describes when and to whom disclosure is
authorized.
Sec. 45.48.460 Employment-related exception
Describes when use of a social security
number should not be restricted.
Sec. 45.48.470 Agency regulations
Procedures for adopting regulations necessary
for a state agency to carry out their duties
and responsibilities.
Sec. 45.48.480 Penalties
Rights of the state and individuals against
persons that knowingly violate these sections
and what damages and attorney fees may be
recovered. For consistence with other
sections that deal with penalties - insert
Page 22, Line 4 economic after actual.
Article 4.
Disposal of Records
Sec. 45.48.500 Disposal of records
This sets out the measures to be followed
when disposing of records which contain
personal information.
Sec. 45.48.510 Measures to protect access.
Describes the measures that may be taken to
comply with Sec. 45.48.500 (above).
Sec. 45.48.520 Due diligence
Lists procedures that if performed show due
diligence.
Sec. 45.48.530 Policy and procedures
A business or governmental agency shall adopt
written policies and procedures relating to
records disposal.
Sec. 45.48.540 Exemptions
Compliance to these sections is not required
if a government agency or business is
required by federal law to act in another
way, or the business is subject to and in
compliance with GLBA, or FCRA.
Sec. 45.48.550 Civil penalty
Liability to the state by an individual,
business, or governmental agency for
violations of these sections.
Sec. 45.48.560 Court action
Page 24, Lines 1 - 4 actual economic damages
court costs allowed by the rules of court,
and full reasonable attorney fees.
These changes are made to this section
consistent with court actions and penalties
throughout the Act.
Sec. 45.48.590 Definitions
Defines the following terms: business;
conducts business; possesses; dispose;
governmental agency; personal information;
records.
(4) "personal information" means
Page 25, Line 2 (B)(i) name, [address, or
telephone number] and.
This change will make the definition of
"personal information" consistent by removing
address and telephone number.
Article 5.
Factual Declaration of Innocence
after Identify Theft,
Right to file Police Report
Regarding Identity Theft
Sec. 45.48.600 Factual declaration of
innocence after identity theft
Describes the conditions that should exist in
order for an individual to petition the
superior court for a determination of
innocence of a crime involving the theft of
their identity.
Sec. 45.48.610 Basis for determination
Lists the type of information that may be
made part of the record for the court to make
a determination of factual innocence.
Sec. 45.48.620 Criteria for determination;
court order
Sets the criteria that the court may use to
determine a victim's factual innocence.
Sec. 45.48.630 Orders regarding records
Describes what the court may order regarding
the disposition of incorrect records
regarding a victim of identity theft.
Sec. 45.48.640 Vacation of determination
States that a court order may be vacated if
there has been a misrepresentation of the
material.
Sec. 45.48.650 Court form
Development of a form to be used under
45.48.620
Sec. 45.48.660 Data base
This section allows the establishment and
maintenance of a data base of victims of
identity theft, and who has authorization to
the information.
Sec. 45.48.670 Toll-free telephone number
Establishes a toll-free number that accesses
the information in the data base established
in 45.48.660.
Sec. 45.48.680 Right to file police report
regarding identity theft
Sets out rights of an individual to file a
police report if they suspect they are a
victim of identity theft, and the
responsibility of a law enforcement agency to
make the report even if they do not have
jurisdiction.
Sec. 45.48.690 Definitions
Defines the following terms: crime,
department, identity theft, perpetrator, and
victim.
Article 6.
Truncation of Card Information
Sec. 45.48.750 Truncation of card information
Describes limits on a business regarding the
printing of credit or debit card numbers and
the exceptions depending on whether the
receipt is produced electronically or is
handwritten or imprinted. Sale of devices
that print more than the last four digits on
a consumer receipt for a credit or debit card
transaction is not allowed. Also sets out
civil action that an individual can take, and
civil penalty to the state. It also
describes credit, credit card, debit card,
and knowingly.
Page 28, Line 1 may recover actual economic
damages, [or $5,000, which ever is greater]
These changes keep the civil action damages
consistent throughout the Act.
Article 7.
General Provisions
Sec. 45.48.990 Definitions
Provides definitions of terms.
Sec. 45.48.995 Short Title
Alaska Personal Information Protection Act.
Page 29, Line 17 deleted AS 45.48.750 is
amended by adding a new subsection (f).
This subsection was included in Article 6
Truncation of Card Information - Page 27,
Lines 28-30, subsection (c).
New Section 6
Page 29, Lines 17 - 24 AS 45.50.471(b) is
amended by adding a new paragraph (53) (A)
and (B).
Section 7 The uncodified law of the State of
Alaska is amended by adding a new section to
read:
INDIRECT COURT RULE AMENDMENTS
(a) AS 45.48.640 changes Rule 60(b) Rules of
Civil Procedure effecting AS 45.48.640.
(b) AS 45.48.640(b) changes Rule 82, Rules
of Civil Procedure effecting
AS 45.48.480(b).
NEW SECTION:
Section 8 - TRANSITION: REGULATIONS. A state
agency may proceed to adopt regulations
necessary to implement this Act. The
regulations take effect under AS 44.62
(Administrative Procedure Act), but not
before the effective date of the law
implemented by the regulation.
Section 9 AS 45.48.470 enacted by Sec. 5 of
this Act; takes effect immediately under AS
01.10.070(c).
Section 10 Section 8 of this Act takes effect
immediately under AS 01.10.070(c).
Section 11 Except as provided by secs. 9 - 10
of this Act, this Act takes effect January 1,
2009.
3:19:22 PM
Representative Coghill noted that the bill's sponsors had
worked with State agencies regarding penalties and
provisions, and have strongly encouraged the agencies to
protect information. He acknowledged that many procedures
have already changed.
3:22:30 PM
Co-Chair Meyer said there were amendments to the bill that
would be proposed. He asked if there were questions based
on the changes proposed in the working sectional.
Representative Hawker commented that a number of his
previous concerns had been addressed. He wondered if
consensus had been reached regarding the whole.
3:23:48 PM
Representative Coghill thought that aside from policy calls
that he could not agree with, most concerns had been
addressed. He pointed out that the bill proposes a SSN
protection scheme that is probably the toughest in the
nation and he thought there would be some opposition. As far
as the freeze goes, the bill is well within national limits.
Truncation is less of an issue. He listed some of the
problems insurance companies and doctors had with the bill
and added that those problems are connected with billing
issues and not identification purposes.
Representative Hawker wondered if all of his concerns
related to notification by email had been addressed.
3:26:30 PM
Representative Coghill responded that the sponsors thought
mail would be the best form of notification. He thought
there might be some discussion about whether the protection
requirement should apply to both paper and electronic
records.
Representative Gara said the issue of the form of
notification is addressed by the bill. When a company has
personal financial information that is accidently released
to the public, if a very large number of people are
affected, the company can notify by email. If the number of
people affected is a smaller number, the company has to send
a letter.
Representative Hawker said he was comfortable with the
approach.
3:29:08 PM
HB 65 was heard and HELD in Committee for further
consideration.
| Document Name | Date/Time | Subjects |
|---|