Legislature(2023 - 2024)BUTROVICH 205
03/20/2024 01:30 PM Senate JUDICIARY
Note: the audio ![]()
and video ![]()
recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.
| Audio | Topic |
|---|---|
| Start | |
| SB60 | |
| HJR3 | |
| SB134 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| += | SB 60 | TELECONFERENCED | |
| + | HJR 3 | TELECONFERENCED | |
| + | TELECONFERENCED | ||
| += | SB 134 | TELECONFERENCED | |
SB 134-INS. DATA SECURITY; INFO. SECURITY PRGRMS
[CSSB 134(L&C) was before the committee.]
2:11:15 PM
CHAIR CLAMAN announced the consideration of SENATE BILL NO. 134
"An Act relating to insurance data security; amending Rule 26,
Alaska Rules of Civil Procedure, and Rules 402 and 501, Alaska
Rules of Evidence; and providing for an effective date."
CHAIR CLAMAN said this is the first hearing of SB 134 in the
Senate Judiciary Committee. He invited the bill sponsor and his
staff to identify themselves for the record and begin their
remarks.
2:11:41 PM
SENATOR JAMES KAUFMAN, speaking as sponsor, introduced SB 134.
He stated that SB 134 is intended to address growing concerns
over data breaches within the insurance industry over the last
several years. He noted that insurance companies maintain
sensitive personal, financial, and health information for
millions of consumers, making it important to establish
guidelines and standards to reduce potential damage from data
breaches within the industry.
SENATOR KAUFMAN explained that SB 134 would require state-
licensed insurance companies to assess internal and external
threats and to develop, implement, and maintain an information
security program based on those threats. While the standards in
the bill are not broad in scope, they establish the expectations
for governance, risk assessment, risk management, third-party
risk management, and incident response.
SENATOR KAUFMAN stated that SB 134 also includes specific
requirements for incident investigation and notification. The
bill would empower the Division of Insurance with the tools
needed to effectively oversee the protection of sensitive
personal information by licensees. Similar legislation already
exists in at least 23 other states, and the federal government
has urged states to adopt comparable measures, reflecting
nationwide recognition of this issues importance.
SENATOR KAUFMAN described SB 134 as a proactive approach to
protecting personal information from cyber threats, enhancing
consumer protections, and strengthening the cybersecurity
position of the insurance industry.
SENATOR KAUFMAN expressed appreciation to the committee for
their consideration.
2:13:37 PM
DOMINICK HARNETT, Staff, Senator James Kaufman, Alaska State
Legislature, Juneau, Alaska, presented the sectional analysis
for SB 134 on behalf of the sponsor:
Section 1:
AS 21.96 is amended by adding new sections related to
insurance data security.
Sec. 21.96.250. Risk Assessment
Licensees shall conduct a risk assessment of nonpublic
information.
• In conducting the risk assessment, the licensee
shall identify reasonably foreseeable internal and
external threats, assess the likelihood and
potential damage of threats, and assess the
sufficiency of current safeguards in protecting
nonpublic information.
• A licensee shall use this risk assessment to design
the information security program required in the
next section.
Sec. 21.96.260. Information Security Program
Licensees shall develop, implement, and maintain an
information security program.
• The program is to be based off the threats
identified in Sec 21.96.250.
• Licensees shall designate one or more employees,
an outside vendor, or third-party service
provider to be responsible for the security
program.
• A licensee's information security program must:
• Contain safeguards to protect security and
confidentiality of nonpublic information and
the information system
• Protect against threats, hazards, and
unauthorized access to nonpublic information
• Establish a schedule for retention of
nonpublic information
• Establish a mechanism for secure destruction
of nonpublic information.
• The development and upkeep process of the
licensee's information security program shall:
• Implement appropriate security measures such
as information access controls,
identification and management of data access
points, physical access controls,
encryption, secure development practices,
regular tests, audit trails, disaster
responses, and secure disposal
• Determine cybersecurity risks to include in
the licensee's risk management process
• Stay informed of emerging threats or
vulnerabilities
• Include cybersecurity risks in the
licensee's enterprise-wide risk management
process
• Provide personnel with cybersecurity
awareness training
• Implement information safeguards addressing
identified threats and annually assess
effectiveness of safeguards
• Exercise due diligence in the third-party
service provider selection process
• Monitor, evaluate, and adjust the
information security program as appropriate
• Establish a written incident response plan
for responding to a cybersecurity event that
addresses
• Internal response processes
• Goals of the plan
• Roles, responsibilities, and decision
authority
• Internal processes for communication and
information sharing
• Plans for how to remediate identified
weaknesses
• Documentation and reporting of
cybersecurity events
• Evaluation and revision process of
incident response plan
• 21.96.250(d) requires the licensee board to
delegate responsibility of the program to
executive management which is required to at
least once a year develop a report that:
• Provides overall status of the information
security program and compliance with the
contents of this bill
• Material matters related to the information
security program such as assessments,
decisions, test results, cybersecurity
events, and more
• If the executive management uses a delegate to
implement the program, the executive management
is required to oversee the development of the
program by the delegate
• 21.96.260(f) sets requirements for licensees
domiciled in the state to submit annual reports
to the Director of Insurance certifying that the
licensee complies with AS 21.96.50, including
keeping records for at least five years.
Sec. 21.96.270. Investigation of cybersecurity event
Sets investigating requirements for licensees when a
cybersecurity event occurs.
• If a cybersecurity event occurs, the licensee or
responsible party shall investigate the event and
assess the nature and scope of the event, identify
nonpublic information involved, restore the security
of the information systems that were compromised,
and retain relevant information for a period of at
least 5 years
Sec. 21.96.280. Notification of cybersecurity event
Sets notification criteria for licensees when a
cybersecurity event occurs
• Licensees must notify the director of insurance
within 72 hours of a cybersecurity event occurring.
Licensees are affected if:
• They are insurers domiciled in the state
• They are insurance producers in which Alaska is
their home state
• The cybersecurity event involves nonpublic
information of 250 or more consumers and the
event and:
• State or federal law requires notice to a
government agency
• There is a reasonable likelihood of
materially harming a consumer in the state
or the licensee's normal operations
• The report to the director of insurance must include
information specified in AS 21.96.280(b)(1-13) in a
form and format as prescribed by the director
• 21.96.280(e) allows the 72-hour notification period
to begin one day after the licensee is made aware of
a cybersecurity event affecting information systems
maintained by third-party service providers
• 21.96.280(f) sets requirements for assuming insurers
to notify affected ceding insurers and the
appropriate supervisory official of the licensee's
state of domicile
Sec. 21.96.290. Confidentiality
Establishes that all information shared with the
Division by licensees remains strictly confidential.
This means that the information is:
• not subject to inspection and copying under
AS 40.25.110
• not obtainable by subpoena or discovery
• not admissible in evidence in private civil
action
21.96.290(b), (c), (d), (e) gives privileges to the
director when using documents, materials, or
information as described earlier in this section when
done in the performance of the duties of the director.
Sec. 21.96.300. Applicability
This section establishes the criteria for which
licensees are not subject to the provisions set by
this bill.
• Licensee with fewer than 10 employees
• Licensees that are employees, agents,
representatives, or designees of another licensee
that is already covered by an information
security program
• Licensee is subject to and in compliance with the
Health Insurance Portability and Accountability
Act of 1996 (P.L. 104-191)
Sec. 21.96.310. Enforcement; penalties
Adds additional powers of examination and
investigation to the director under AS 21.06.120.
• Does not create or imply a private cause of
action if a licensee is found in violation of the
stipulations within this bill (AS 21.96.250
21.96.399)
Sec. 21.96.399. Definitions
Adds definitions. Highlighted definitions are listed
below:
• "Cybersecurity event" means an event resulting in
unauthorized access to or disruption or misuses
of an information system or information stored on
the information system
• "Information security program" means the
administrative, technical, and physical
safeguards that a licensee uses to access,
collect, distribute, process, protect, store,
use, transmit, dispose of, or otherwise handle
nonpublic information
• "Licensee" means a person licensed, authorized to
operate, or registered, or required to be
licensed, authorized, or registered, under the
insurance laws of the State of Alaska
Section 2:
Rule 26, 402, and 501 Alaska Rules of evidence
changes.
• Rules 26 - Prohibits discovery of evidence in the
possession or control of the division of
insurance that was provided by a licensee under
AS 21.96.260(f) or 21.96.280(b)(2)-(5), (8),
(10), or (11) or that is obtained by the director
in an investigation or examination under AS
21.96.310.
• Rule 402 and 501 AS 21.96.290(a)(4) and (c)
enacted in Sec. 1 of this Act prevent the
director of the division of insurance acting
under the authority of the director from being
compelled to testify about confidential or
privileged documents. It also precludes
admissibility of evidence in a private action of
documents, materials, or other privileged
information.
Section 3:
This section notices the Division to begin the process
of writing regulations but does not implement any
before the effective date in Sec. 8 of this Act.
Section 4:
A conditional effect for AS 21.96.290(a)(3) and (4)
and (c) enacted by Sec. 1 of this bill requires a two-
thirds majority vote of each house as required for
court rules changes required by art. IV, sec. 15, of
the Constitution of the State of Alaska
Section 5:
Sec.3 takes effect immediately so that the Division of
Insurance can start drafting regulations.
Section 6:
Sets an effective date for several provisions of this
bill of January 1, 2025 to give insurance companies
and producers time to comply.
Section 7:
Sets an effective date of January 1, 2026 to give
insurance companies and producers time to find a
third-party service provider.
Section 8:
Except as provided in secs. 5 7 of this bill, this
Act takes effect January 1, 2024, thus allowing time
for compliance.
2:24:03 PM
SENATOR KIEHL expressed gratitude to the bill sponsor for
bringing this bill forward, stating he is a fan of privacy
protections. He expressed that SB 134 is a starting point to
better understand the scope of the issue. He referred to the
definitions section, stating the bill appears to focus
exclusively on cybersecurity and computerized information. He
asked whether anything in the bill, or already in statute,
addresses how insurance companies protect personally
identifiable information in physical form, such as paper
records.
2:24:50 PM
SENATOR KAUFMAN said his intention is to defer questions of a
broader scope to the director of the Division of Insurance.
2:25:30 PM
CHAIR CLAMAN directed the question to Director Wing-Heier.
2:25:42 PM
LORI WING-HEIER, Director, Division of Insurance, Department of
Commerce, Community & Economic Development, Anchorage, Alaska,
replied that AS 21 provides for some very limited authority in
the event of a data breach. It does not extend to cybersecurity.
She noted that nearly every agency is now paper-free, meaning
the primary concern is a cyber risk rather than physical paper
risks. She clarified that while the Division's authority is
limited, insurers are required to report breaches. When a breach
occurs, the Division works with the company to ensure clients
are notified and appropriate remedies, such as free credit
monitoring, are offered based on the specifics of the situation.
2:26:36 PM
SENATOR KIEHL said that SB 134 includes language about notifying
the director of the Division of Insurance when a cybersecurity
event or data breach occurs but does not appear to directly
address consumer notification. The statutes reference the Alaska
Personal Information Protection Act and questioned whether it
requires consumer notification. He asked whether existing
statutes address how notification is handled.
2:27:03 PM
MS. WING-HEIER replied that while the Alaska Statutes give very
limited statutory direction, the Division would most definitely
require notification to consumers if their data were
compromised. She shared some recent headline news about a Change
Healthcare data breach, stating that Change Healthcare, a
platform owned by UnitedHealth [Group], experienced a breach in
February that severely disrupted pharmacies, hospitals, and
medical clinics nationwide. She explained that Change Healthcare
provides various platforms for preauthorization of medical
services and prescriptions, and the breach left many facilities
unable to operate normally.
MS. WING-HEIER stated that the Division has very little
authority to work with Change Healthcare because Alaska does not
have a cybersecurity law. She reported that she had just
returned from the spring National Association of Insurance
Commissioners (NAIC) meeting last night, where the chief
executive officer (CEO) participated in a regulator-to-regulator
session. She said the CEO was strongly questioned due to the
massive scale of the breach. Some clinics and facilities may be
forced to close because they are not receiving payments and
cannot meet payroll obligations. Change Healthcare not only
processes UnitedHealthcare claims, but handles claims for many
insurance companies, doctors, and pharmacists.
MS. WING-HEIER said the Division issued a bulletin to try and
help consumers, emphasizing that it was about as far as she
could go under current law.
2:28:39 PM
SENATOR KIEHL sought confirmation about consumer breach
notifications, asking whether she is comfortable with AS 45.48,
and other statutes, providing sufficient authority to notify or
require an insurer to notify customers of a breach of their
data.
MS. WING-HEIER replied that the Division of Insurance relies on
existing statutory authority to ensure consumer notification of
a breach of their data.
2:29:10 PM
CHAIR CLAMAN commented that, if the legislature wanted, it could
add a provision to statute that required consumer notification.
2:29:19 PM
SENATOR TOBIN noted that the definition section in SB 134
includes some thorough definitions and remarked that she would
be hard-pressed to craft definitions as eloquently written. She
asked whether the sponsor based the bill on model legislation
from another entity or whether the sponsor's staff drafted the
definitions.
SENATOR KAUFMAN expressed appreciation for his staff, describing
them as marvelous, and said SB 134 was a collaborative effort.
He stated that while other models influenced the definitions,
the bill also reflects input from industry professionals and
other stakeholders. He explained that the team developed a
matrix to identify problems, propose solutions, and mitigate
potential effects. He said the work is ongoing and anticipates
further input and clarification as the bill moves forward.
SENATOR KAUFMAN highlighted that while the comprehensive list of
actions outlined in the bill is remarkable, even more so is the
realization that many of these data protections are not yet
standard practice. He said that though the goal of protecting
data is simple, the complexity lies in implementing it without
increasing costs, creating bottlenecks, or introducing
irreconcilable conflicts.
2:31:24 PM
SENATOR TOBIN stated that one of the strongest levels of
consumer protection is double encryption but expressed
uncertainty about its feasibility within the insurance industry.
She explained that achieving such protection would require
decoupling identifying information to enable end-to-end
encryption. She asked whether it is possible to decouple
identifying information to provide an extra level of consumer
protection, or whether that would be too great a hill to climb.
MS. WING-HEIER replied that specific claim information is double
encrypted, particularly within health payment utilization
databases. She noted that while claim data is transmitted with
encryption, underwriting information is not necessarily double
encrypted. She explained that if a data breach were to occur
during the underwriting process, it could expose individual
files containing sensitive personal details like Social Security
numbers, dates of birth, and other collected information. She
emphasized that this concern applies not only to health or life
insurance, but to all types of insurance.
2:32:44 PM
SENATOR TOBIN said she was unsure whether additional protections
were possible within the current framework. She referenced the
definition of "encrypt" on page 13, line 19, and questioned
whether there might be opportunities to strengthen the language
or add provisions to enhance data security. She expressed
concern for her own family members, noting that while they rely
on various insurance tools for protection, it is equally
important to ensure that their personal data is safeguarded.
SENATOR TOBIN asked whether there is a way to provide some
clarity on what the committee can and cannot double encrypt and
about other protections the committee could add. The expectation
is to decouple as much information as possible.
MS. WING-HEIER replied that she could work with the bill sponsor
and his staff but surmised insurers would likely say that
changes to their platforms and programs would be necessary. She
stated that she would look into the matter and report back on
whether additional safeguards could be incorporated into the
bill to better protect personal information.
2:34:32 PM
SENATOR KIEHL observed that SB 134 includes deadlines for
insurers to notify the director when a breach occurs in a system
maintained by a third party under contract with the insurer. He
noted that the notification timeline begins once the third party
informs the insurer. He asked whether there is a deadline by
which the third party must notify the insurer.
SENATOR KAUFMAN replied that the chain of notification, how to
manage it, and the related accountabilities are part of the
ongoing work of SB 134. He deferred to the director to address
some of the details.
2:35:20 PM
MS. WING-HEIER stated that the insurance industry approached the
bill sponsor and asked for a notification deadline revision from
72 hours to three days. She agreed to the change on the
condition that the first day begins when the insurer is notified
of the breach. She explained that this becomes more complicated
with third-party vendors because the Division does not have
direct statutory or regulatory authority over them. She
clarified, however, that she does have authority over the
insurance company and can hold insurers accountable for their
vendors' actions. She emphasized that insurers are liable for
their vendors' conduct.
MS. WING-HEIER reiterated that the Division expects the insurer,
not the vendor, to notify the department within three days of
being informed of a breach. She added that this issue has been a
major topic of discussion, particularly as the algorithms and
models used by third-party vendors present concerns.
MS. WING-HEIER concluded by stating SB 134 proposes the insurer
inform the Division within three days of when the vendor
notifies them. Ideally, the insurer's contract requires the
vendor to make immediate notification.
2:36:30 PM
SENATOR KIEHL said he is interested in working with the
sponsor's office and the director on language that would require
insurance companies to include contractual provisions that
ensure timely notification of a data breach. He said the goal is
to give the director the power to enforce such provisions and
activate a response plan to prevent situations where affected
individuals never receive notice.
SENATOR KIEHL shifted to a new topic, referencing the director's
use of the word "liable." He brought up the confidentiality
provisions in SB 134, stating that it is unclear how far they
extend. It appears the provisions prohibit disclosure of
personal identifiable information in lawsuits against a company.
However, it is not clear whether they prohibit any information
from the Division from being used in court if an individual sues
a company for violating cybersecurity rules. He asked how far
those confidentiality provisions go.
MS. WING-HEIER replied that it is fairly clear that the Division
has to keep confidential any market conduct, examination, or
investigation files. However, this does not prevent a private
citizen from obtaining information directly from the insurance
company through court action. She explained that to ensure an
investigation is not impeded, Division files are confidential;
this is true for about any investigation the Division conducts.
She said that while Division files are confidential, it does not
bar individuals from pursuing them through the parties
responsible for the data breach.
2:38:29 PM
SENATOR KIEHL sought confirmation that the need for a court rule
change is consistent with existing process and practice.
MS. WING-HEIER replied that is precisely why SB 134 requires a
court rule change. She explained that, under standard
procedures, a person might be able to obtain information from
the Division as the entity in possession of the data. However, a
provision in SB 134 explicitly states that such information
cannot be obtained from the Division. Instead, individuals must
seek it from the party responsible for the breach, such as the
insurance company, adjuster, or brokerage firm that held the
data.
SENATOR KIEHL responded that, in that case, this provision
appears to differ from standard practice.
MS. WING-HEIER agreed and clarified her answer, confirming that
it does differ. She noted that is why the court rule change is
necessary and why it requires a two-thirds vote for adoption of
the change.
2:39:30 PM
SENATOR TOBIN expressed her understanding that SB 134 exempts
small brokerage firms with fewer than ten employees. She assumed
this exemption was intended to avoid placing an undue burden on
smaller firms. She asked how the exemption would apply to
brokerage firms operating under a franchise model. She explained
that her own insurance provider, for example, operates under the
auspices of New York Life but may only have one or two employees
in the local office. She asked whether such franchised offices
would be required to meet the stipulations of the legislation or
would fall under its exemption.
MS. WING-HEIER replied, in that example of a franchise, the
Division expects firms such as Marsh McLennan Agency, State
Farm, or Allstate to comply. However, under SB 134, small
independent businesses with ten employees or fewer would be
eligible for a compliance waiver.
SENATOR TOBIN requested a better understanding of the court rule
change.
2:41:13 PM
CHAIR CLAMAN invited Ms. Meade from the Alaska Court System to
put herself on the record to answer questions.
2:41:28 PM
NANCY MEADE, General Counsel, Administrative Offices, Alaska
Court System, Anchorage, Alaska, answered questions during the
discussion of SB 134.
2:41:39 PM
SENATOR TOBIN referenced the indirect court rule amendments on
page 15 of SB 134. She noted that the language essentially
establishes a change in court rules and creates new privileges
for the Division of Insurance. She expressed interest in hearing
the Alaska Court System interpretation of and input on these
provisions, noting that court rule changes should be made
judiciously.
2:42:08 PM
MS. MEADE said SB 134 proposes fairly routine court rule
changes, which the legislature makes when it establishes
statutory provisions that are part of substantive legislation.
MS. MEADE referred to page 10, line 22, which outlines specific
and unique confidentiality provisions that would be privileged
and not subject to discovery. These provisions are directly
linked to the first indirect court rule amendment, Rule 26, the
discovery rule, found on page 15, line 15. She stated that, in
general, the discovery rule allows parties in a civil case to
obtain any relevant information that would help them in
preparing their case unless an exception applies. SB 134 creates
such an exemption on page 10, starting on line 22. It is a
discovery rule exception and because it affects Rule 26, a
corresponding amendment is required in the indirect court rule
amendment section on page 15.
MS. MEADE continued explaining proposed changes to Alaska Rules
of Evidence 402 and 501 on page 15, line 21. These changes
pertain to admissible evidence and recognized privileges, such
as spousal or psychotherapist-patient privilege. Alaska Rules of
Evidence 402 and 501 must recognize these special privilege
changes in law, which is the basis for these indirect court rule
amendments.
2:44:12 PM
CHAIR CLAMAN observed that one of the challenges in highly
accessible internet environments, such as insurance, is
balancing access and privacy. He said that as a consumer, people
want to find information about their coverage, whether it be
medical, auto, or otherwise. Consumers want to find information
quickly and easily without navigating numerous layers. By the
same token, consumers want their personal data to remain
inaccessible to others. He praised SB 134 for addressing this
complex dynamic. The legislation enables consumer access while
preventing unauthorized access, a balance that is difficult to
achieve.
2:45:21 PM
SENATOR KAUFMAN agreed, noting that achieving this balance has
been central to the legislation. He stated that SB 134 affects
many components and must be implemented carefully to avoid
loopholes. He remarked that the bill reflects the broader
challenge of updating statutes in a rapidly evolving
technological environment. Gaps in statute occur when the speed
of technology outpaces lawmaking, and making these changes is
not easy, often causing updates to languish. He emphasized the
importance of crafting legislation that not only protects data
but also facilitates commerce by allowing consumers controlled
access to their information through secure portals.
2:46:44 PM
CHAIR CLAMAN opened public testimony on SB 134; finding none, he
closed public testimony.
2:47:03 PM
CHAIR CLAMAN held SB 134 in committee.