Legislature(2023 - 2024)GRUENBERG 120
05/03/2024 01:00 PM House JUDICIARY
Note: the audio ![]()
and video ![]()
recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.
| Audio | Topic |
|---|---|
| Start | |
| SB12 | |
| SB134 | |
| HB105 | |
| HB107 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| + | TELECONFERENCED | ||
| + | SB 134 | TELECONFERENCED | |
| + | SB 12 | TELECONFERENCED | |
| += | HB 105 | TELECONFERENCED | |
| += | HB 107 | TELECONFERENCED | |
SB 134-INS. DATA SECURITY; INFO. SECURITY PRGRMS
2:14:57 PM
CHAIR VANCE announced that the next order of business would be
CS FOR SENATE BILL NO. 134(JUD), "An Act relating to insurance;
relating to insurance data security; relating to mammograms;
amending Rule 26, Alaska Rules of Civil Procedure, and Rules 402
and 501, Alaska Rules of Evidence; and providing for an
effective date."
2:20:53 PM
SENATOR JAMES KAUFMAN, Alaska State Legislature, as prime
sponsor, presented CSSB 134(JUD). He shared the sponsor
statement [included in the committee packet], which read as
follows [original punctuation provided]:
Securing sensitive personal, financial, and health
information is an essential issue for the insurance
industry. In recent years, there have been several
major data breaches involving large insurers that have
exposed and compromised the sensitive personal
information of millions of insurance consumers, which
underscores the immense need for enhanced
cybersecurity measures within the industry.
Senate Bill 134 introduces data security requirements
for insurers and empowers the Division of Insurance
with the tools necessary to effectively oversee the
protection of Alaskans' sensitive personal information
by requiring state licensed insurers and other
entities to develop, implement, and maintain an
information security program based upon a full risk
assessment.
Appropriate security measures are based upon careful,
ongoing risk assessment for internal and external
threats. Licensees are required to investigate
cybersecurity events and notify the state insurance
commissioner of such events.
Similar legislation already exists in 24 other states
and the federal government has urged states to adopt
similar measures, reflecting a nationwide recognition
of the importance of these provisions.
SB 134 also guarantees that mammography screening,
diagnostic breast examinations, and supplemental
breast examinations are covered at no cost to the
insured under applicable insurance plans.
By passing SB 134, Alaska can proactively protect its
citizens from cyber threats, enhance consumer
protections, and bolster the cybersecurity position of
the insurance industry. I urge my colleagues to join
me in supporting the security of sensitive personal
information. Thank you for your consideration.
2:23:32 PM
The committee took a brief at-ease at 2:23 p.m.
2:24:15 PM
CHAIR VANCE opened invited testimony.
2:24:42 PM
EMILY NENON, Alaska Government Relations Director, American
Cancer Society Cancer Action Network, Inc, gave invited
testimony during the hearing on CSSB 134(JUD). She said she was
testifying to the new piece of the bill, which would remove the
patient's cost for receiving follow up mammograms, diagnostic
mammograms, or supplemental breast imaging. She said the bill
would set a standard for other plans to follow even though it
only applied to state regulated insurance plans. She shared an
anecdote. She said the sooner cancer can be detected, the
sooner it can be cured. She encouraged support for this
provision.
2:26:59 PM
CHAIR VANCE opened public testimony on SB 134.
2:27:46 PM
CONOR SWEENEY, Regional Manager, State Policy and Advocacy,
Susan G. Komen, testified in support of SB 134. He shared that
many patients must choose to delay or forego a medically
necessary diagnostic because they can't afford it. He said the
bill would eliminate hefty out of pocket costs and save lives.
He urged the committee to eliminate deaths from breast cancer
and support the legislation.
2:29:19 PM
KELLEY MARRE, representing self, testified in support of SB 134,
specifically the removal of the cost sharing charge for patients
undergoing additional testing. She shared an anecdote and
reiterated that people can go from an early-stage breast cancer
diagnosis to a stage four quite rapidly. She recommended
passage of SB 134.
CHAIR VANCE closed public testimony.
2:31:10 PM
REPRESENTATIVE ALLARD moved to adopt Amendment 1 to CSSB
134(JUD), labeled 33-LS0253\H.2, Wallace, 5/3/24, which read:
Page 5, lines 10 - 17:
Delete all material and insert:
"(9) require that a third-party service
provider that has access to or holds nonpublic
information notify the licensee as soon as possible
and without unreasonable delay after determining that
the third-party service provider has experienced a
cybersecurity event involving nonpublic information
associated with a consumer; for purposes of this
paragraph, encrypted nonpublic information is
considered accessible to or held by the third-party
service provider if the associated protective process
or key necessary to assign meaning to the nonpublic
information is within the possession of the third-
party service provider;"
Page 15, line 2, following "of":
Insert "electronic"
Page 15, line 4, following "of":
Insert "electronic"
Page 15, line 14, following "means":
Insert "electronic"
REPRESENTATIVE GRAY objected.
2:31:23 PM
SENATOR KAUFMAN explained Amendment 1, which would add the word
"electronic" back into the bill to clarify that it pertains to
cyber security. In addition, the notice by third parties would
be amended to align with the requirements under existing law
relating to disclosures of personal information.
2:32:01 PM
REPRESENTATIVE GRAY noted the change from notifying consumers
"no later than three days" to "as soon as possible." He
questioned the meaning of "as soon as possible."
SENATOR KAUFMAN said the industry endeavors to respond as
quickly as possible; however, it can be challenging to stay
within that time limit. He said the change is a practical
concession to the industry.
REPRESENTATIVE GRAY moved Conceptual Amendment 1 to Amendment 1.
REPRESENTATIVE ALLARD objected.
REPRESENTATIVE SUMNER objected.
2:33:17 PM
REPRESENTATIVE GRAY explained that Conceptual Amendment 1 would
remove the words "and without unreasonable delay" and insert
"within five business days". He reasoned that if his banking
information were stolen, he would want to be informed within one
week.
2:34:23 PM
REPRESENTATIVE GROH asked for the director's opinion on the
proposed amendments.
REPRESENTATIVE SUMNER speculated that third party service
providers may not have the patients' contact information on hand
and may not be able to obtain it within five days.
2:35:43 PM
LORI WING-HEIER, Director, Division of Insurance, Department of
Commerce, Community, and Economic Development (DCCED), explained
that Amendment 1 was written for companies that use vendors, and
in many cases, these vendors have just as much information as
the insurance company. The amendment was drafted because
Senator Kiehl believed that the vendors should notify the
insurance company of a data breach. She opined that providing a
timeframe would be better than "as soon as possible." After
being notified by a third-party service provider, the insurance
company has three days to notify Ms. Wing-Heier of the data
breach in order to inform consumers.
2:36:45 PM
REPRESENTATIVE ALLARD opined that leaving the timeframe wide
open could lead to problems.
SENATOR KAUFMAN agreed that it's beneficial to shorten the
timeframe; however, it could lead to management challenges. He
said he would go with the will of the committee.
2:37:53 PM
SENATOR KAUFMAN cautioned the committee against creating a
compliance trap for vendors. He suggested that 10 days might
suffice.
MS. WING-HEIER said 10 days would still be better than "as soon
as possible."
2:38:54 PM
REPRESENTATIVE GRAY withdrew Conceptual Amendment 1 to Amendment
1. He moved Conceptual Amendment 2 to Amendment 1, which would
remove the words "and without unreasonable delay" and insert
"and not later than 10 business days" on lines 3 and 4.
REPRESENTATIVE ALLARD objected for purposes of discussion.
MS. WING HEIER clarified that insurance statutes use "working
days" not "business days." She recommended that the language
remain consistent with current statutes.
REPRESENTATIVE GRAY withdrew Conceptual Amendment 2 to Amendment
1. He moved Conceptual Amendment 3 to Amendment 1, which would
remove the words "and without unreasonable delay" and insert
"and not later than 10 working days" on lines 3 and 4.
REPRESENTATIVE ALLARD objected for purposes of discussion.
2:40:12 PM
REPRESENTATIVE SUMNER voiced his support for Conceptual
Amendment 3 to Amendment 1.
REPRESENTATIVE ALLARD removed her objection. There being no
further objection, Conceptual Amendment 3 to Amendment 1 was
adopted.
2:40:36 PM
The committee took a brief at-ease at 2:40 p.m.
2:41:06 PM
REPRESENTATIVE ALLARD removed her objection to Amendment 1, as
amended. There being no further objection, Amendment 1, as
amended, was adopted.
2:41:27 PM
REPRESENTATIVE GROH said he would not be offering Amendment 2.
He moved Amendment 3 to CSSB 134(JUD), labeled 33-LS0253\H.6,
Wallace, 5/3/24, which read:
Page 7, line 3:
Delete "written statement"
Insert "report"
Page 7, line 4:
Delete "certifying"
Insert "demonstrating"
Page 7, line 7:
Delete "written statement"
Insert "report"
Page 7, line 8:
Delete "written statement"
Insert "report"
REPRESENTATIVE ALLARD objected.
2:41:40 PM
REPRESENTATIVE GROH addressed Amendment 2, saying that by
changing the language from "certifying" to "demonstrating," the
agency would first lay out their evidence and the Division of
Insurance would be responsible for checking for compliance with
the law. He asked Ms. Wing-Heier for her views on this matter.
MS. WING-HEIER opined that the changes in Amendment 2 would not
make a big difference.
2:43:01 PM
REPRESENTATIVE SUMNER questioned whether certifying compliance
with state statute would hold more weight than demonstrating
compliance. If there were an omission, he asked whether
"demonstrating" would result in less liability.
MS. WING-HEIER agreed that certifying one's compliance with the
statute would be a higher level of assurance.
2:44:04 PM
REPRESENTATIVE GRAY asked whether a lower standard word than
"certifying" should be used.
REPRESENTATIVE GROH questioned whether certification would
provide a greater level of protection.
MS. WING-HEIER answered yes, certifying is a much higher
standard than documenting.
REPRESENTATIVE GROH sought to confirm that certifying is a
better process for the consumer and the state.
MS. WING-HEIER answered yes.
REPRESENTATIVE GROH withdrew Amendment 3. He said he would not
be offering Amendment 4.
2:45:52 PM
REPRESENTATIVE GROH moved to adopt Amendment 5 to CSSB 134(JUD),
labeled 33-LS0253\H.10, Wallace, 5/3/24, which read:
Page 8, line 15:
Delete "at the"
Insert "within 90 days of a"
REPRESENTATIVE ALLARD objected.
2:46:01 PM
REPRESENTATIVE GROH explained that Amendment 5 would create a
reliable timeframe and move the state forward in terms of when
the records are produced.
REPRESENTATIVE SUMNER said he could see value in Amendment 5 and
asked to hear from Ms. Wing-Heier.
REPRESENTATIVE ALLARD said she would not support Amendment 5.
2:49:07 PM
REPRESENTATIVE GRAY opined that 90 days is too long. If the
division is maintaining records at all times, he suggested that
the time period should be shorter.
MS. WING-HEIER said "at least five years" complies with record
retention requirements in statute. She agreed that 90 days is a
long time.
REPRESENTATIVE GROH maintained his belief that a time period
would be useful.
MS. WING-HEIER explained that when record requests are made, the
divisions provides a two-week time period for the insurance
company to supply the requested information or explain why the
data cannot be provided for further investigation or
examination.
2:51:50 PM
REPRESENTATIVE GROH asked whether the director could suggest
alternative language.
MS. WING-HEIER opined that the bill is written in a way that
works for consumers and efficiency.
REPRESENTATIVE GROH withdrew Amendment 5.
2:52:26 PM
REPRESENTATIVE GROH moved to adopt Amendment 6 to CSSB 134(JUD),
labeled 33-LS0253\H.11, Wallace, 5/3/24, which read:
Page 14, line 3:
Delete "Enforcement"
Insert "Review; enforcement"
Following "penalties.":
Insert "(a) The director shall review the risk
assessment and information security program of a
licensee to make recommendations for compliance with
AS 21.23.250 or 21.23.260. If there is a cybersecurity
event, the director shall consider any previous
recommendations made under this section and the
written statement provided under AS 21.23.260(f) in
assessing a penalty under this section."
Reletter the following subsections accordingly.
Page 14, line 4:
Delete "may"
Insert "shall"
Page 14, line 8:
Delete "may"
Insert "shall"
REPRESENTATIVE ALLARD objected.
2:52:30 PM
REPRESENTATIVE GROH explained that Amendment 6 would allow the
division to offer constructive feedback, which would ensure that
all parties are working together to protect consumer data.
MS. WING-HEIER shared her knowledge of company audits and
examinations. She said if a company has not complied in an
audit, the division asks them to be more careful. If the
company fails to comply again, fines and penalties are levied
because consumers are not being given notice to make a choice.
She said the division goes from "being nice" to being the
regulator to enforce statutory rules and regulations.
REPRESENTATIVE GROH asked the director to talk more explicitly
about what that means. He said he wanted to make sure that this
important area of the law is being done the right way.
MS. WING-HEIER said the current law allows the division to
perform examinations and investigations. If there were a data
breach, she said she would open up an investigation that would
involve her four investigators and possibly the FBI and the U.S.
Department of Justice (USDOJ). She opined that the current bill
language gives the Division of Insurance what it needs, adding
that the division spent over two years vetting the legislation
with industry, regulators, and the National Conference of
Insurance Legislators (NCOIL).
REPRESENTATIVE GROH withdrew Amendment 6.
2:57:36 PM
CHAIR VANCE sought final comments on CSSB 134(JUD), as amended.
2:57:56 PM
SENATOR KAUFMAN said the bill carries important improvements to
data security, and with the inclusion of the mammography
language, it could bring some important things to Alaska.
REPRESENTATIVE SUMNER asked to hear from Ms. Meade about the
indirect court rule amendments.
2:58:45 PM
NANCY MEADE, General Counsel, Alaska Court System, said the
notation in Section 4 of the bill is normal and not problematic
from the court's perspective.
2:59:48 PM
The committee took an at-ease from 2:59 p.m. to 3:01 p.m.
3:01:10 PM
REPRESENTATIVE ALLARD moved to rescind action on Amendment 1, as
amended. There being no objection, it was so ordered.
3:01:44 PM
REPRESENTATIVE GRAY moved to rescind action on Conceptual
Amendment 3 to Amendment 1. There being no objection, it was so
ordered.
REPRESENTATIVE GRAY moved Conceptual Amendment 4 to Amendment 1
to remove the words "and without unreasonable delay" and insert
"and not later than 10 business days". There being no
objection, Conceptual Amendment 4 to Amendment 1 was adopted.
CHAIR VANCE announced that Amendment 1, as amended, was adopted.
3:02:51 PM
REPRESENTATIVE ALLARD moved to report CSSB 134(JUD), as amended,
out of committee with individual recommendations and the
accompanying fiscal notes.
REPRESENTATIVE GROH objected for the purpose of discussion. He
thanked the commissioner and removed his objection. There being
no further objection, HCS CSSB 134(JUD) was reported from the
House Judiciary Standing Committee.