Legislature(2023 - 2024)BARNES 124
03/25/2024 03:15 PM House LABOR & COMMERCE
Note: the audio ![]()
and video ![]()
recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.
| Audio | Topic |
|---|---|
| Start | |
| HB218 | |
| HB313 | |
| HB324 | |
| HB55 | |
| HB226 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| *+ | HB 313 | TELECONFERENCED | |
| *+ | HB 324 | TELECONFERENCED | |
| += | HB 55 | TELECONFERENCED | |
| + | TELECONFERENCED | ||
| += | HB 226 | TELECONFERENCED | |
| += | HB 218 | TELECONFERENCED | |
HB 324-INS. DATA SECURITY; INFO. SECURITY PRGRMS
4:20:00 PM
VICE CHAIR RUFFRIDGE announced that the next order of business
would be HOUSE BILL NO. 324, "An Act relating to insurance data
security; amending Rule 26, Alaska Rules of Civil Procedure, and
Rules 402 and 501, Alaska Rules of Evidence; and providing for
an effective date."
4:21:14 PM
The committee took a brief at-ease at 4:21 p.m.
4:21:36 PM
REPRESENTATIVE WRIGHT moved to adopt the proposed committee
substitute (CS) for HB 324, Version 33-LS1348\B, Wallace,
3/21/24, ("Version B"), as the working document.
REPRESENTATIVE CARRICK objected for purposes of discussion.
4:21:57 PM
The committee took a brief at-ease.
4:22:32 PM
REPRESENTATIVE CARRICK removed her objection. There being no
further objection, Version B was before the committee.
4:22:43 PM
REPRESENTATIVE WILL STAPP, Alaska State Representative,
introduced HB 324 as prime sponsor. He stressed that insurance
data security is paramount in today's digital age given that
data breaches have occurred throughout Alaska and insurance is
no different. While most insurance companies have taken steps
to mitigate the risk of data breaches, he stated, the bill would
set a uniform standard to allow the Division of Insurance to
regulate those companies to ensure that Alaska's constitutional
provision of right to privacy is upheld and consumers'
information is protected as much as possible. He allowed [it's
likely impossible to] devise a system in which an individual's
personal information is always going to be protected but said HB
324 would be one step forward to establishing a good regulatory
framework to ensuring that an individual's data is protected.
4:24:32 PM
CLIFTON COGHILL, Staff, Representative Will Stapp, Alaska State
Legislature, on behalf of Representative Stapp, prime sponsor of
HB 324, presented the changes in Version B, the proposed CS for
the bill. He spoke from the document, titled "Summary of
Changes for HB 324 Bill Version A to B" [included in committee
packet], which read as follows [original punctuation provided]:
Structural Change
All sections of the bill moved from AS 21.96 to AS
21.23. Legal Services Division felt that the topic of
the bill would fit better under Risk Management in
Alaska statute.
Throughout the bill, changes all references of 72
hours to 3 business days instead.
All Changes are in Section 1
• Page 1, Line 5
o Adds a new section, Purpose and Construction,
establishing an exclusivity standard.
• Page 2, Line 1-5
o Adds clarifying language.
commensurate with the size and complexity of the
licensee and in consideration of the nature and scope
of the licensee's activities and be used by on in
possession or control of the licensee
• Page 4, Line 2-4
o Adds clarifying language.
The licensee shall adopt procedures for testing the
security of externally developed applications used by
the licensee.
• Page 5, Line 2-9
o Adds clarifying language.
where appropriate, encrypted nonpublic information is
not considered accessible to, or held by, the third-
party service provider if the associated protective
process or key necessary to assign [meaning] to the
nonpublic information is not within the possession of
the third-party service provider;
• Page 8, Line 8-10
o Changes "law enforcement official" to be exclusively
of federal law enforcement. There were
concerns that law enforcement would be too broad.
o (a) Unless a federal law enforcement official
instructs the licensee not to distribute information
regarding a cybersecurity event
• Page 8, Line 25-26
o Adds clarifying language
o (b) To the greatest extent possible and in a form
and format prescribed by the
o director,
• Page 10, Line 27-28
o Except as provided in (f) and (g) of this section, a
licensee acting as an assuming insurer ovides
reporting requirement exemptions for reinsurers with
exceptions.
• Page 11, Line 9-23
o Clarifies reporting requirements regarding insurers
and insurance producers.
o (j) An insurer shall notify an insurance producer of
a cybersecurity event
o involving nonpublic information, not later than the
date the notice is provided to the affected consumers,
if (1) the nonpublic information is in the possession
or control of a licensee that is an insurer or the
licensee's third-party service provider; (2) the
consumer accessed the insurer's services through an
insurance producer; and (3) the insurer is required to
notify affected consumers
• Page 13, Line 1-4
o Clarifies that the director cannot share privileged
information without the written consent of licensees.
• Page 14-15
o Clarifies some definitions. Of note is the
definition of "non-public information" is expanded
upon.
4:28:28 PM
REPRESENTATIVE FIELDS asked whether local or state law
enforcement has been involved in security breaches in the past.
4:29:06 PM
LORI WING-HEIER, Director, Division of Insurance, Department of
Commerce, Community & Economic Development (DCCED) State of
Alaska, responded that when the original bill was introduced
there was discussion with the insurance industry that if a
cyberbreach occurred and the industry was also working with the
Federal Bureau of Investigation (FBI) or the [US] Department of
Justice (DOJ), industry might not have to report to the Division
of Insurance, yet the Division of Insurance is the is the
insurance industry's regulator. The compromise, she continued,
was that industry would report to the division unless the FBI or
the DOJ directs otherwise, and so the division's mission would
be to ensure that consumers in Alaska receive notice and then
the investigation would proceed from there.
REPRESENTATIVE FIELDS reported that half of the other US states
have adopted some version of this bill. He asked whether it
varies or is cookie cutter across these states in following the
language of the National Association of Insurance Commissioners
(NAIC). He further asked whether HB 324 is cookie cutter or has
specific factors built in.
MS. WING-HEIER responded that there was nothing built in by the
department. There were discussions, she said, about whether to
exempt agencies with 10 employees or with 15 employees, but
there was no giving up on any major deviations from the NAIC
model law.
4:30:48 PM
REPRESENTATIVE CARRICK inquired about the reasons for the
exemption of 10 or fewer and how that looks in other states.
MS. WING-HEIER answered that the NAIC model uses the number 10
because NAIC thought the cost to a very small agency would be
prohibitive. She pointed out that companies like State Farm or
Allstate will get what HB 324 asks for in cybersecurity data
protection, and smaller agencies that are in direct riders would
rely on the insurer itself.
REPRESENTATIVE CARRICK surmised the intent would be that this
language would cover the larger company, which would therefore
cover the small entities. In other words, she continued, every
insurer in the state would be covered by this language in some
form or fashion.
4:31:54 PM
REPRESENTATIVE STAPP replied that HB 324 has two aspects, one on
the insurer side and one on the producer side. The number being
referenced is relevant to 10 folks at a producer firm, he said.
Big companies like State Farm and Allstate, he continued, have
way more than 10 staff, have individual agencies, and already
have some different aspect of cybersecurity, such as the now-
standard two-step authentication. This bill, he explained, sets
the regulatory framework at the state level because states'
divisions of insurance still regulate that practice individually
across the 50 states.
4:33:28 PM
REPRESENTATIVE STAPP advised that there are aspects in HB 324
that should be tweaked, and he is working with the sponsor of
the Senate companion bill to address them. He said the number
10 is NAIC language and he doesn't know whether that figure is
applicable to any kind of agency in Alaska, and it may not
matter if the number were changed to 15. The bill is very
technical and needed, he added, even though he doesn't like
additional regulatory things.
4:34:27 PM
VICE CHAIR RUFFRIDGE announced that HB 324 was held over.
| Document Name | Date/Time | Subjects |
|---|---|---|
| HB313 PowerPoint Presentation for HL&C.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 313 |
| HB313 ver. A.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 313 |
| HB313 Transmittal Letter.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 313 |
| HB313 Sectional Analysis ver. A.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 313 |
| HB313 Fiscal Note DCCED-RCA.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 313 |
| HB 324-Sponsor Statement.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 324 |
| HB 324 Sectional Analysis.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 324 |
| HB 324 Supporting Documents-State Map.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 324 |
| HB233 Support Letter - Chair of Automative and Diesel Tech UAA.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 233 |
| UA TVEP_HLC Committee_3-25-24.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 55 |
| 2024 UA TVEP Reauthorization Report.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 55 |
| FY23 AWIB Technical and Vocational Report.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 55 |
| AWIB Resolution Supporting Reauthorization of TVEP-docx.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 55 |
| B.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 324 |
| Summary of Changes HB 324 – Bill Ver A to B.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 324 |
| 20240325 AK HB 226 COA support.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 226 |
| HB218 Amendments.pdf |
HL&C 3/25/2024 3:15:00 PM |
HB 218 |