Legislature(2005 - 2006)BUTROVICH 205
03/01/2006 08:30 AM Senate JUDICIARY
| Audio | Topic |
|---|---|
| Start | |
| SJR20 | |
| SB216 | |
| SB222 | |
| SB284 | |
| SB301 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| + | SB 252 | TELECONFERENCED | |
| += | SB 301 | TELECONFERENCED | |
| += | SB 249 | TELECONFERENCED | |
| + | TELECONFERENCED | ||
| = | SJR 20 | ||
| = | SB 216 | ||
| = | SB 222 | ||
| = | SB 284 | ||
SB 222-PROTECTION OF PERSONAL INFORMATION
9:31:07 AM
CHAIR RALPH SEEKINS announced SB 222 to be up for consideration.
SENATOR GRETCHEN GUESS, sponsor, asked for the testimony of
David Lawer.
9:31:46 AM
DAVID LAWER, Senior Vice President, First National Bank of
Alaska testified on Section 1, Personal Information Protection
Act. He said SB 222 has far reaching implications, not only for
financial institutions but also for every person in the state.
He said the bill poses substantial risks for all people and that
violations would be brought about for situations where personal
information was not even divulged.
9:33:57 AM
MR. LAWER asserted financial institutions have intense
information security systems yet they can be breached
unintentionally. He said he left his computer on the night
before and the janitor could have accessed his accounts. He said
SB 222 would make the bank notify over 55,000 people of that
security breach.
9:36:08 AM
MR. LAWER said the bank shares personal information with other
entities such as their credit card system. Taking the bill to a
personal level, he said as a landlord, he possesses information
regarding his tenant and said he would be in violation of SB 222
if he were to leave a rent check on his desk at home. He hoped
that was not the intended consequences of the legislation. He
advised the committee that he had technical amendments suggested
by other banking officials to submit.
9:38:27 AM
SENATOR THERRIAULT noted he and Senator Guess were studying the
different suggestions made and were attempting to strike a fair
balance. He asked the reason that the public shouldn't expect a
tighter security system at the bank.
MR. LAWER conceded the consumer should expect better security
and said his computer at work has a series of passwords as a
firewall. His worry was that simply by having a janitor alone
his office with his computer would be a breach of security as he
sees the bill written. Nevertheless, under the definition of
security breach the bank would be obliged to notify the 55,000
customers of the incident.
9:41:24 AM
SENATOR FRENCH questioned whether it would be a breach when a
person attempted to access a computer but was halted due to a
password request.
MR. LAWER said yes since there was no definition of "breach of
security" in the bill.
SENATOR GUESS stated for edification, that "breach of security"
is defined on page 3, line 29, and "information systems" is
defined on page 24, line 12 in version I.
9:43:53 AM
SENATOR GUESS said she was unclear whether Mr. Lawer was
suggesting that the bill sponsors add violations for security
breaches within Section 1.
MR. LAWER responded it was the position of the banker's
association that the violation be "the failure to disclose the
fact of unauthorized disclosure of the information," and they
need only alert the person whose information they have reason to
believe was compromised.
9:46:08 AM
CHAIR SEEKINS asked the number of people in the bank systems
that have access to information that would be protected under SB
222.
MR. LAWER said everyone. Every account starts with an
application and every application contains not only the
customer's name but also one or more of the other elements.
CHAIR SEEKINS asked whether they were required by federal law to
obtain a person's social security number.
MR. LAWER said correct.
CHAIR SEEKINS asked Mr. Lawer to describe security measures as
pertained to by federal law.
MR. LAWER said they perform periodic risk assessments and in
circumstances where they detect the possibility of unauthorized
disclosure they notify customers about that circumstance. The
regulations are fluid. The bank is examined and audited
annually, including the security system and the systems of the
entities they contract with. The scope of the audit continually
increases and as a result, identifies the need for greater
security measures.
9:49:08 AM
Credit card companies are a good example. The bank is obliged to
see to the integrity of that security system as well.
CHAIR SEEKINS asked whether the federal regulators audit the
security practices of the bank's contractors.
MR. LAWER said yes.
CHAIR SEEKINS asked whether they meet the same standards as the
bank.
MR. LAWER said he suspected they meet higher standards.
CHAIR SEEKINS asked whether the auditors generally find areas of
weaknesses.
MR. LAWER said auditors have a different perception of
weaknesses. For instance the last audit suggested a need for
seven character passwords that include at least one number. He
questioned whether that constituted a weakness in the security
system.
CHAIR SEEKINS asked Mr. Lawer his opinion of the risk of
unauthorized penetration of the bank's security system.
MR. LAWER said he believed their only exposure was internal. The
bank's computer systems cannot be accessed by anyone not
connected internally. The greater risk is of exposed physical
records and the bank has suffered a burglary in the past.
9:52:44 AM
CHAIR SEEKINS asked Mr. Lawer whether his bank had clear
policies for employees on how to comply with all privacy
policies.
MR. LAWER said yes. They support extensive personnel policies as
well as other procedures relating to information security.
CHAIR SEEKINS announced a brief recess at 9:53:35 AM.
9:53:53 AM
CHAIR SEEKINS held the bill in committee.
| Document Name | Date/Time | Subjects |
|---|