Legislature(2005 - 2006)BELTZ 211
01/24/2006 01:30 PM Senate LABOR & COMMERCE
| Audio | Topic |
|---|---|
| Start | |
| SB222 | |
| SB207 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| *+ | SB 222 | TELECONFERENCED | |
| *+ | SB 207 | TELECONFERENCED | |
SB 222-PROTECTION OF PERSONAL INFORMATION
CHAIR CON BUNDE announced SB 222 to be up for consideration.
SENATOR GRETCHEN GUESS, co-sponsor of SB 222, recapped the
purpose of the bill saying that the problem of identify theft is
worse this year than last.
1:38:00 PM
SENATOR GENE THERRIAULT, co-sponsor of SB 222, said he read an
article that said 1,600 cases of fraud and identify theft were
reported in 2004; of those, 400 were identity theft. He
explained that it is very difficult to get control of one's
economic and personal data once it has been stolen. Recognizing
that consumers benefit from rapid data availability, he realized
that simply freezing data wouldn't allow stores quick access to
information on customers who are applying for a credit card, for
instance, to take advantage of a special sale; and he still
wanted to give consumers the option of being able to freeze
access to their data.
1:43:41 PM
CHAIR BUNDE asked if he also envisioned an instant "opt out"
option so that a credit report could be quickly obtained by a
business that has had a person apply for one of their credit
cards. He also asked how quickly a person could apply the remedy
if his information had been stolen and used.
SENATOR THERRIAULT responded that that is what he hoped
testimony would cover today.
1:44:50 PM
SENATOR RALPH SEEKINS asked what interstate implications this
bill would have, since it would be Alaska law and most credit
bureaus that are accessed for personal information are
headquartered outside of Alaska.
SENATOR THERRIAULT responded that the state has the authority to
regulate those companies, because they are responding to
inquiries of businesses within the state of Alaska.
SENATOR SEEKINS asked what if a customer was in Seattle and
there's a big sale at Nordstrom's and he had frozen his account
in Alaska, would there be a statutory requirement for the
enquiry to be frozen.
SENATOR THERRIAULT replied, "I don't think that's the way the
system works." He surmised that for someone who had acquired his
data and pretended to be him, the law would be meaningless in
every one of the other states.
1:48:23 PM
SENATOR SEEKINS asked where the definition of information
collector is located.
SENATOR GUESS replied that that definition is on page 4, lines 6
- 8 and an information collector is a person who owns or uses
personal information in any form... on a state resident.
SENATOR SEEKINS asked if a person who wrote down his zip code
was, by definition, an information collector.
SENATOR GUESS replied no and that the personal information
definition is on page 4, lines 9 - 28 and talks about what
personal information is and, therefore, what it is not.
SENATOR SEEKINS stated he thought that definition needed to be
clarified.
1:51:44 PM
SENATOR GUESS asked if Senator Seekins was referring to an
Alaskan resident who may be in Washington who either wants to
freeze or unfreeze his credit report.
SENATOR SEEKINS rephrased his question stating that the law
would apply to all businesses working in Alaska, but if the
headquarters of ABC Rating Company, for instance, is in Kansas
City (that recognizes our state law) and the enquiry is coming
from the Nordstrom Store in downtown Seattle, does the ABC
Reporting Company have any statutory requirement not to provide
that - even though the customer froze his report in Alaska.
SENATOR THERRIAULT replied that the State of Alaska has the
power to regulate a business entity that is housed outside of
the state if it has agreed and wants to transact business in the
state of Alaska.
1:54:05 PM
CHAIR BUNDE posed his Bahamas question. An Alaskan resident
freezes his credit information; he wins the lottery and moves to
the Bahamas and he hasn't taken the freeze off. Does the freeze
stay there until he removes it - no matter where he resides.
SENATOR THERRIAULT indicated yes.
SENATOR SEEKINS asked for a report on that situation's
enforceability by the time this bill came to the Judiciary
Committee.
SENATOR THERRIAULT noted that the bill breaks down the controls
an individual consumer can exert over his information and what
duties the companies collecting the information have to him, if
there is a breach of their internal security.
1:56:01 PM
SENATOR SEEKINS asked about credit accuracy on page 14. He asked
if a person disputes the credit information, does he have a
responsibility to report it immediately to the information
collector.
SENATOR THERRIAULT replied that the business has the duty to
stop making reports.
1:58:05 PM
SENATOR JOHNNY ELLIS arrived.
1:58:52 PM
SENATOR GUESS responded that language on page 14, line 25, says
that it applies to those companies that are actually
distributing the information, not someone who is using the
information.
SENATOR SEEKINS remarked that he didn't want to end up with an
affirmative responsibility on the part of the merchant who is
trying to gain information to make a credit decision.
2:00:24 PM
JOHN GEORGE, American Council of Life Insurers, said that some
of his concerns had been addressed, but he still had issues. He
didn't think a company should be required to do business with a
person if he refuses to give it his social security number. In
the life insurance business, he said:
We need to make sure that we're paying the right
beneficiary. We need to know that that's absolutely
the right guy and a social security number is a
personal identifier; it's a number that's generally
collected....
He further explained that if a person uses another name, like
their pet cat's name, Fluffy, the person who filled out the
application knows that, but their heirs who are the ones who are
going to be collecting on the policy may not know that. He
explained:
We really need an identifier that is consistent, that
can be verified and for someone to refuse to give that
type of information may make it difficult for us to
identify who the real deceased is and, therefore, who
the legal beneficiaries are.
He also had problems with the notification requirement that
would force them to notify every policyholder in the state that
they had a breach of security if someone accidentally got the
wrong letter in the mail and sent it back.
2:04:01 PM
CHAIR BUNDE asked if banks could still refuse to cash checks
without a person showing his social security number first.
MR. GEORGE replied that he didn't know if cashing a check could
be considered "doing business" and that's the language that is
used. Selling a life insurance policy to someone is really
"doing business" with him.
CHAIR BUNDE instructed him to work with the bill's sponsors on
resolving his issues.
2:05:52 PM
LISA CORRIGAN, President, Alaska Bankers Association, said she
is also Executive Vice President and Chief Operating Officer of
Alaska Pacific Bank. She stated the Alaska Bankers Association
supported the intent of this legislation saying, "Our very
integrity depends upon our ability to safeguard customer
information, not just their money, but any of their sensitive
information."
Her comments pertained to three points of clarification. The
first issue was language in Section 1 concerning disclosure of
breach of security. It appears to state that a bank would have
to notify affected persons regardless of whether sensitive
customer information had actually been accessed for unauthorized
purposes and that language goes too far.
She explained that banks are already operating under numerous
regulatory rules and guidelines from the federal regulatory
authorities governing all banks that was developed as a
requirement in the Gramm-Leach-Blighly Act regarding privacy.
Banks are required to look at how likely it is that such a
breach would occur and how vulnerable their data would be in
that event and they have to come up with a program of response.
Regulation language says:
If the bank determines through this risk assessment
process in their analysis of the breach itself that
such misuse has occurred or it is reasonably possible
that misuse will occur, then notification of affected
customers is required as soon as possible.
Secondly, she recommended different language regarding
notification to law enforcement, again from the banking
interagency guidance. Instead of stating that just the
Department of Law needs to be consulted to see if there is an
on-going investigation, the association wanted to make sure that
all appropriate law enforcement agencies would be referenced.
Thirdly, the protection of social security number language on
page 15 talks about having a waiver for a refusal to do business
with an individual if a business is required to submit a social
security number to the federal government. She pointed out that
there are cases in which a bank is required to obtain a social
security number, as under the Patriot Act, so that an individual
who wants to open an account can be definitively identified. If
that person is not a primary signer on the account, that social
security number will probably not be reported to the IRS and is
held in the bank's records as a form of identification. To
resolve this, she asked the committee to delete "submit" and
insert "obtain" on line 30.
CHAIR BUNDE asked if she thought this legislation prevented her
from requiring a social security number from a person who was
cashing a check at her bank.
MS. CORRIGAN replied that she didn't see that as a problem as
long as the bank is allowed to obtain it without having to
submit it to the federal government.
2:13:58 PM
RON JORDAN, Anchorage, said he was testifying for himself and
his deceased brother-in-law's behalf, having dealt with his
identity theft. His brother-in-law had a housemate who was
renting from him who stole his identification. While Mr. Jordan
supported SB 222, he didn't think the penalties in it were
strong enough. Mandatory jail time and/or restitution should be
involved.
2:16:13 PM
ED SNIFFEN, Assistant Attorney General, said he specializes in
consumer law and supported the overall intent of the sponsors,
but he had some concerns about the way SB 222 would impact a
variety of state agencies that collect personal information as
defined in this bill. He was working to amend some provisions to
provide the protections for state agencies that are trying to
conduct state business without fear of having to absorb enormous
expenses to notify state residents for some incidental and
perhaps unintentional exchange of information.
On Senator Seekins' question about applicability of this law if
one was to cross state lines and if an Alaskan resident calls a
credit bureau in Minneapolis to put a freeze on this credit
report, he stated that that credit reporting agency would be
required to honor that freeze regardless of who called.
2:18:40 PM
CHAIR BUNDE asked if the person who wishes that service has to
identify himself as an Alaskan resident to access protection
under Alaska law.
MR. SNIFFEN replied yes, the bill requires the resident to
provide sufficient identification to the bureau. It has to honor
his request if it wants to continue to do business in Alaska.
Half the states have the same requirement.
CHAIR BUNDE thanked people for their comments and said the bill
would be held for further work.
| Document Name | Date/Time | Subjects |
|---|