Legislature(2023 - 2024)BELTZ 105 (TSBldg)
02/05/2024 01:30 PM Senate LABOR & COMMERCE
Note: the audio ![]()
and video ![]()
recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.
| Audio | Topic |
|---|---|
| Start | |
| SB134 | |
| SB166 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| *+ | SB 134 | TELECONFERENCED | |
| *+ | SB 166 | TELECONFERENCED | |
SB 134-INS. DATA SECURITY; INFO. SECURITY PRGRMS
1:32:56 PM
CHAIR BJORKMAN announced the consideration of SENATE BILL NO.
134, "An Act relating to insurance data security; amending Rule
26, Alaska Rules of Civil Procedure, and Rules 402 and 501,
Alaska Rules of Evidence; and providing for an effective date."
1:33:17 PM
SENATOR MERRICK and SENATOR BISHOP joined the meeting.
1:33:25 PM
DOMINICK HARNETT, Staff, Senator James Kaufman, Alaska State
Legislature, Juneau, Alaska, read the following introductory
statement on SB 134:
[Original punctuation provided.]
SB 134 is intended to address increasing concern over
data breaches within the insurance industry over the
last several years. These companies maintain the
sensitive personal, financial, and health information
of millions of consumers and it is important to
establish set standards to reduce the potential damage
of data breaches within the industry. SB 134 would
require state licensed insurance companies to perform
a full risk assessment of their internal and external
threats and then develop, implement and maintain an
information security program based upon those threats.
The standards this bill sets up are not wide in scope,
but they do set standards for governance, risk
management, risk assessment, third party risk
management and incident response.
SB 134 also lays out specific requirements for
incident investigation and notification. The bill
empowers the Division of Insurance with the tools
necessary to effectively oversee protection of
Alaskans' sensitive personal information by licensees.
Similar legislation already exists in at least 23
other states and the federal government has urged
states to adopt similar measures reflecting a
nationwide recognition of the importance of these
provisions.
We believe SB 134 is a proactive approach to
protecting Alaskan citizens' personal information from
cyberthreats and will enhance consumer protections and
bolster the cybersecurity position of the insurance
industry.
1:35:18 PM
SENATOR JAMES KAUFMAN, District F, Alaska State Legislature,
Juneau, Alaska, deferred discussion of SB 134 to his staff, Mr.
Harnett.
1:35:49 PM
MR. HARNETT presented the sectional analysis for SB 134:
[Original punctuation provided.]
Sectional Analysis for SB 134 Version B
"An Act relating to insurance data security; amending
Rule 16, Alaska Rules of Civil Procedure, and Rules
402 and 501, Alaska Rules of Evidence; and providing
for an effective date."
Section 1:
AS 21.96 is amended by adding new sections related to
insurance data security.
Sec. 21.96.250. Risk Assessment
Licensees shall conduct a risk assessment of nonpublic
information.
• In conducting the risk assessment, the licensee
shall identify reasonably foreseeable internal
and external threats, assess the likelihood and
potential damage of threats, and assess the
sufficiency of current safeguards in protecting
nonpublic information.
• A licensee shall use this risk assessment to
design the information security program required
in the next section.
1:36:44 PM
MR. HARNETT continued the sectional analysis for SB 134:
[Original punctuation provided.]
Sec. 21.96.260. Information Security Program
Licensees shall develop, implement, and maintain an
information security program.
• The program is to be based off the threats
identified in Sec 21.96.250
• Licensees shall designate one or more
employees, an outside vendor, or third-
party service provider to be responsible
for the security program.
• A licensee's information security program
must:
• Contain safeguards to protect
security and confidentiality of
nonpublic information and the
information system
• Protect against threats, hazards, and
unauthorized access to nonpublic
information
• Establish a schedule for retention of
nonpublic information
• Establish a mechanism for secure
destruction of nonpublic information
• The development and upkeep process of the
licensee's information security program
shall:
• Implement appropriate security
measures such as information access
controls, identification and
management of data access points,
physical access controls, encryption,
secure development practices, regular
tests, audit trails, disaster
responses, and secure disposal
• Determine cybersecurity risks to
include in the licensee's risk
management process
• Stay informed of emerging threats or
vulnerabilities
• Include cybersecurity risks in the
licensee's enterprise-wide risk
management process
• Provide personnel with cybersecurity
awareness training
• Implement information safeguards
addressing identified threats and
annually assess effectiveness of
safeguards
1:38:20 PM
MR. HARNETT continued the sectional analysis for SB 134:
[Original punctuation provided.]
• Exercise due diligence in the third-
party service provider selection
process
• Monitor, evaluate, and adjust the
information security program as
appropriate
• Establish a written incident response
plan for responding to a
cybersecurity event that addresses
• Internal response processes
• Goals of the plan
• Roles, responsibilities, and
decision authority
• Internal processes for
communication and information
sharing
• Plans for how to remediate
identified weaknesses
• Documentation and reporting of
cybersecurity events
• Evaluation and revision process
of incident response plan
21.96.250(d) requires the licensee board to
delegate responsibility of the program to
executive management which is required to at
least once a year develop a report that:
• Provides overall status of the
information security program and
compliance with the contents of this
bill
• Material matters related to the
information security program such as
assessments, decisions, test results,
cybersecurity events, and more
• If the executive management uses a
delegate to implement the program, the
executive management is required to
oversee the development of the program
by the delegate
1:39:33 PM
MR. HARNETT continued the sectional analysis for SB 134:
[Original punctuation provided.]
21.96.260(f) sets requirements for licensees
domiciled in the state to submit annual reports
to the Director of Insurance certifying that
the licensee complies with AS 21.96.50,
including keeping records for at least five
years.
Sec. 21.96.270. Investigation of cybersecurity event
Sets investigating requirements for licensees when a
cybersecurity event occurs.
• If a cybersecurity event occurs, the licensee or
responsible party shall investigate the event and
assess the nature and scope of the event,
identify nonpublic information involved, restore
the security of the information systems that were
compromised, and retain relevant information for
a period of at least 5 years
1:40:22 PM
MR. HARNETT continued the sectional analysis for SB 134:
[Original punctuation provided.]
Sec. 21.96.280. Notification of cybersecurity event
Sets notification criteria for licensees when a
cybersecurity event occurs
• Licensees must notify the director of insurance
within 72 hours of a cybersecurity event
occurring. Licensees are affected if:
• They are insurers domiciled in the state
• They are insurance producers in which Alaska is
their home state
• The cybersecurity event involves nonpublic
information of 250 or more consumers and the
event and:
• State or federal law requires notice to a
government agency
• There is a reasonable likelihood of
materially harming a consumer in the state
or the licensee's normal operations
• The report to the director of insurance must
include information specified in AS
21.96.280(b)(1-13) in a form and format as
prescribed by the director
• 21.96.280(e) allows the 72-hour notification
period to begin one day after the licensee is
made aware of a cybersecurity event affecting
information systems maintained by third-party
service providers
• 21.96.280(f) sets requirements for assuming
insurers to notify affected ceding insurers and
the appropriate supervisory official of the
licensee's state of domicile
1:41:40 PM
MR. HARNETT continued the sectional analysis for SB 134:
[Original punctuation provided.]
Sec. 21.96.290. Confidentiality
Establishes that all information shared with the
Division by licensees remains strictly confidential.
This means that the information is:
• not subject to inspection and copying under AS
40.25.110
• not obtainable by subpoena or discovery
• not admissible in evidence in private civil
action
21.96.290(b), (c), (d), (e) gives privileges to the
director when using documents, materials, or
information as described earlier in this section when
done in the performance of the duties of the director.
1:42:25 PM
MR. HARNETT continued the sectional analysis for SB 134:
[Original punctuation provided.]
Sec. 21.96.300. Applicability
This section establishes the criteria for which
licensees are not subject to the provisions set by
this bill.
• Licensee with fewer than 10 employees
• Licensees that are employees, agents,
representatives, or designees of another licensee
that is already covered by an information
security program
• Licensee is subject to and in compliance with the
Health Insurance Portability and Accountability
Act of 1996 (P.L. 104-191)
Sec. 21.96.310. Enforcement; penalties
Adds additional powers of examination and
investigation to the director under AS 21.06.120.
• Does not create or imply a private cause of
action if a licensee is found in violation of the
stipulations within this bill (AS 21.96.250
21.96.399)
Sec. 21.96.399. Definitions
Adds definitions. Highlighted definitions are listed
below:
• "Cybersecurity event" means an event resulting in
unauthorized access to or disruption or misuses
of an information system or information stored on
the information system
• "Information security program" means the
administrative, technical, and physical
safeguards that a licensee uses to access,
collect, distribute, process, protect, store,
use, transmit, dispose of, or otherwise handle
nonpublic information
• "Licensee" means a person licensed, authorized to
operate, or registered, or required to be
licensed, authorized, or registered, under the
insurance laws of the State of Alaska
1:44:15 PM
MR. HARNETT continued the sectional analysis for SB 134:
[Original punctuation provided.]
Section 2:
Rule 26, 402, and 501 Alaska Rules of evidence
changes.
• Rules 26 - Prohibits discovery of evidence in the
possession or control of the division of
insurance that was provided by a licensee under
AS 21.96.260(f) or 21.96.280(b)(2)-(5), (8),
(10), or (11) or that is obtained by the director
in an investigation or examination under AS
21.96.310.
• Rule 402 and 501 AS 21.96.290(a)(4) and (c)
enacted in Sec. 1 of this Act prevent the
director of the division of insurance acting
under the authority of the director from being
compelled to testify about confidential or
privileged documents. It also precludes
admissibility of evidence in a private action of
documents, materials, or other privileged
information.
Section 3:
This section notices the Division to begin the process
of writing regulations but does not implement any
before the effective date in Sec. 8 of this Act.
1:45:26 PM
MR. HARNETT continued the sectional analysis for SB 134:
[Original punctuation provided.]
Section 4:
A conditional effect for AS 21.96.290(a)(3) and (4)
and (c) enacted by Sec. 1 of this bill requires a two-
thirds majority vote of each house as required for
court rules changes required by art. IV, sec. 15, of
the Constitution of the State of Alaska
Section 5:
Sec.3 takes effect immediately so that the Division of
Insurance can start drafting regulations.
Section 6:
Sets an effective date for several provisions of this
bill of January 1, 2025 to give insurance companies
and producers time to comply.
Section 7:
Sets an effective date of January 1, 2026 to give
insurance companies and producers time to find a
third-party service provider.
Section 8:
Except as provided in secs. 5 7 of this bill, this
Act takes effect January 1, 2024, thus allowing time
for compliance.
1:45:58 PM
MR. HARNETT explained that the dates in sections 6, 7, and 8
would each need to be updated to be one year later.
1:46:52 PM
SENATOR BISHOP referred to Section 4 and sought clarification
regarding the two-thirds vote that is required for a court rule
change.
1:47:08 PM
MR. HARNETT replied that, according to the constitution, a court
rule change would require a two-thirds vote. He explained that,
in this case, the court rule change is related to the
confidentiality section and changes to the discovery.
SENATOR BISHOP sought further clarification.
MR. HARNETT explained that no part of SB 134 would go into
effect if the two-thirds voting requirement was not met.
SENATOR BISHOP offered his understanding that it is a two-thirds
vote on the bill.
MR. HARNETT replied yes.
SENATOR BISHOP noted that sections 3 and 5 take effect
immediately and questioned whether SB 134 should include a
specific deadline for the regulation package.
MR. HARNETT deferred to Ms. Wing-Heier.
1:49:24 PM
LORI WING-HEIER, Director, Division of Insurance, Department of
Commerce, Community and Economic Development (DCCED), Anchorage,
Alaska, answered that the Division of Insurance could have
regulations complete within 6 months.
1:50:35 PM
MS. WING-HEIER asserted that SB 134 is common sense for
insurance companies and producers who are exempting firms or
small companies with fewer than 10 employees. She surmised that
companies with more than 10 employees likely have an existing
cyber-security program in place. She explained that the National
Association of Insurance Commissioners (NAIC) put SB 134 forward
in response to the Federal Government's cyber-policy
requirement. She explained that the division worked with
industry partners over several years to come up with the current
proposal.
1:52:19 PM
SENATOR DUNBAR noted that SB 134 does not create a private right
of action. He asked if an existing private right of action would
be extinguished.
1:52:43 PM
MS. WING-HEIER offered her understanding that SB 134 does not
remove the right to bring an action against a broker or
insurance company. She explained that it stops someone from
subpoenaing the division for data. Instead, this data would need
to come directly from the broker or the insurance company.
1:53:12 PM
SENATOR DUNBAR asked if Ms. Mitchell agreed with Ms. Wing-
Heier's response and if she had additional input.
1:53:30 PM
SUSAN MITCHELL, Attorney, Civil Division, Department of Law,
Anchorage, Alaska, answered questions on SB 134. She said that
she agreed with Ms. Heier's response.
1:54:13 PM
CHAIR BJORKMAN opened public testimony on SB 134.
1:54:58 PM
PAMELA SAMASH, representing self, Nenana, Alaska, testified in
support of SB 134. She surmised that customers expect privacy
and that insurance providers would do whatever they need to do
to ensure the safety of their customers' data. She emphasized
that it is important to be "one step ahead" in the digital age.
1:56:27 PM
CHAIR BJORKMAN kept public testimony open and held SB 134 in
committee.