Legislature(2005 - 2006)CAPITOL 17

04/13/2005 03:15 PM House LABOR & COMMERCE

Download Mp3. <- Right click and save file as

* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
Moved Out of Committee
Heard & Held
Bills Previously Heard/Scheduled
Heard & Held
HB 226-PERSONAL INFORMATION BREACH                                                                                            
CHAIR ANDERSON announced  that the first order  of business would                                                               
be HOUSE BILL  NO. 226, "An Act relating to  breaches of security                                                               
involving  personal information;  and relating  to credit  report                                                               
security freezes."                                                                                                              
3:34:59 PM                                                                                                                    
CHAIR  ANDERSON then  announced that  HB 226  would be  held over                                                               
until Friday,  at which time  he indicated the  legislation would                                                               
be  reported from  committee.   He mentioned  that one  party has                                                               
requested that the legislation be held  in order to have time for                                                               
a bit  more research.   He  also mentioned  his intention  to co-                                                               
sponsor HB 226.                                                                                                                 
3:35:10 PM                                                                                                                    
REPRESENTATIVE  LES  GARA,  Alaska  State  Legislature,  sponsor,                                                               
noted  that  there  is  a  proposed  committee  substitute.    He                                                               
explained  that  HB  226  responds   to  the  ChoicePoint,  Inc.,                                                               
security fraud  cases.  He  informed the committee that  a number                                                               
of  financial  companies  that make  money  by  selling  people's                                                               
personal  and  financial  information   don't  use  the  required                                                               
security safeguards.  Therefore,  people's personal and financial                                                               
information  are  being stolen.    In  the ChoicePoint  case  the                                                               
information of 145,000  people was stolen and  the company didn't                                                               
immediately  tell  the  victims.    This  legislation  follows  a                                                               
California law that specifies that  if a company that makes money                                                               
on  people's  information  discovers that  information  has  been                                                               
stolen or  misused, it  must inform  the individuals  right away.                                                               
In the  ChoicePoint case,  a number of  months passed  before the                                                               
145,000 people were told that  their information had been stolen.                                                               
In  California,  the individuals  were  notified  because of  the                                                               
state law requiring such knowledge  be provided to the individual                                                               
whose information was lost or stolen.                                                                                           
3:38:13 PM                                                                                                                    
REPRESENTATIVE GARA  highlighted that  HB 226 also  provides that                                                               
an  individual who  is worried  that his  or her  information has                                                               
been stolen can  call one of the three  credit reporting agencies                                                               
and request  a hold  on his  or her  financial information.   The                                                               
aforementioned   is   referred   to   as   a   security   freeze.                                                               
Representative  Gara  related that  the  Department  of Law,  the                                                               
Alaska  Public Interest  Research  Group (AkPIRG),  and the  U.S.                                                               
Public Interest  Research Group (AkPIRG) appear  to be supportive                                                               
of this legislation.                                                                                                            
3:39:23 PM                                                                                                                    
CHAIR  ANDERSON surmised  that HB  226  is senior  friendly.   He                                                               
recalled  reading information  relating  that one  of the  senior                                                               
advocacy  groups supports  the California  legislation, on  which                                                               
this based.                                                                                                                     
REPRESENTATIVE GARA  stated that  AARP is  supportive of  HB 226.                                                               
He opined  that in this  kind of  security fraud, seniors  are as                                                               
vulnerable  as everyone  else not  more  vulnerable than  others.                                                               
Representative Gara further opined  that everyone has an interest                                                               
in knowing if  one's personal and financial  information has been                                                               
stolen.   Moreover, it's  quite an  outrage that  these companies                                                               
aren't informing  people when the  information is stolen.   "They                                                               
make  money off  us, and  they  have a  duty to  protect us,"  he                                                               
The committee was at-ease from 3:40 p.m. to 3:44 p.m.                                                                           
3:44:39 PM                                                                                                                    
CHAIR  ANDERSON  moved to  adopt  CSHB  226,  Version I,  as  the                                                               
working  document.   There  being  no  objection, Version  I  was                                                               
before the committee.                                                                                                           
3:46:11 PM                                                                                                                    
GEORGE BERRY,  Teamsters Local 959,  informed the  committee that                                                               
he  works in  the  oil  and gas  industry  through the  Teamsters                                                               
union.  He  related that he and his coworkers  are very concerned                                                               
with these  types of businesses operating  seemingly unregulated.                                                               
Mr. Berry noted that the  legislation appears to require a remedy                                                               
for the individual  to whom harm is done from  poor or inaccurate                                                               
reporting, or  theft or disclosure  of information to  an unknown                                                               
third party,  and for that he  thanked the sponsor.   He stressed                                                               
the  need  to  keep  an  individual's right  to  privacy  at  the                                                               
forefront when [employers] perform  background checks.  Mr. Berry                                                               
related  that  this will  be  implemented  in  the [oil  and  gas                                                               
industry] in the  near future and thus there is  the desire to be                                                               
sure  that  the  appropriate  protections are  in  place  in  the                                                               
[employee's] contract language.                                                                                                 
3:48:24 PM                                                                                                                    
JOHN  GEORGE,  Lobbyist,  American   Council  of  Life  Insurers;                                                               
Property Casualty Insurance  Association of America, acknowledged                                                               
that   insurance   companies   have  much   of   this   sensitive                                                               
information,  such as  social security  numbers.   The  insurance                                                               
companies   are  concerned   with  regard   to  protecting   such                                                               
information.     He   related  that   generally,  the   insurance                                                               
[industry] supports  the concept of HB  266, which seems to  be a                                                               
national  movement.   He  mentioned that  this  concept has  been                                                               
introduced  in  about  28  states.     Mr.  George  informed  the                                                               
committee  that Congressional  legislation, which  is essentially                                                               
the earlier mentioned California bill,  has been introduced.  The                                                               
aforementioned,  national  approach,   is  probably  better  than                                                               
having  each  state  pass it's  own  legislation,  possibly  with                                                               
slight  differences.    Therefore,  he  urged  the  committee  to                                                               
consider  that.   Mr. George  related that  the organizations  he                                                               
represents believe that privacy  of information and disclosure of                                                               
any breach of this type  of information should apply to everyone.                                                               
Although  this legislation  doesn't  specifically  state that  it                                                               
applies to  governmental entities,  the sponsor has  related that                                                               
the reference  to "any person"  does include the state  and other                                                               
governmental entities, he noted.                                                                                                
MR. GEORGE  further informed the  committee that his  clients are                                                               
also concerned  with regard to information  that's being acquired                                                               
and information  that's being  accessed.   He explained  that one                                                               
can acquire  something, but  not have access  to it  because it's                                                               
encrypted data.   In that  case, there  really isn't a  breach of                                                               
information.   Again,  the  sponsor  believes the  aforementioned                                                               
concern  is  addressed.     Mr.  George  pointed   out  that  the                                                               
legislation   refers  to   encryption,  which   is  the   current                                                               
technology used to  protect information.  However,  in the future                                                               
there may be other applications,  and therefore he suggested that                                                               
the  language should  be  broadened to  refer  to "encryption  or                                                               
other technology  that prohibits access  to the data".   He noted                                                               
that  because  other  states are  adopting  similar  legislation,                                                               
companies   already   have   notification  processes   in   mind.                                                               
Therefore,  he  expressed  the  need  to  have  the  notification                                                               
process  be consistent  with  the law  as long  as  it meets  the                                                               
specified  timeframes  to get  the  notice  out,  even if  a  bit                                                               
different than  what's prescribed  in the  law.   Thus, companies                                                               
could use the same notice procedures  in all states.  He informed                                                               
the committee  that the sponsor has  agreed to meet with  him and                                                               
discuss his concerns.                                                                                                           
3:51:47 PM                                                                                                                    
REPRESENTATIVE GUTTENBERG  asked if  anyone used a  more generic,                                                               
board language than "encryption."                                                                                               
MR.  GEORGE replied  yes, and  suggested that  the language  "any                                                               
other method or technology that  renders the personal information                                                               
unreadable or  unusable" would  include future  technology that's                                                               
BARBARA  HUFF TUCKNESS,  Director,  Governmental and  Legislative                                                               
Affairs, Teamster Local 959, related her  support of HB 226.  She                                                               
said that Mr. George adequately  covered her concerns with regard                                                               
to background  checks.  For smaller  employers that [financially]                                                               
don't  have access  to  a secure  system  for background  checks,                                                               
something in  statute would  be appropriate.   Ms.  Huff Tuckness                                                               
noted  that  she is  working  with  the  sponsor to  address  the                                                               
background  check,  the  chain  of  custody,  and  how  documents                                                               
received  on  an  employee are  handled  through  the  processing                                                               
company or the specific employer.                                                                                               
CLYDE  SNIFFEN,   Assistant  Attorney  General,   Civil  Division                                                               
(Anchorage), Department  of Law, informed the  committee that the                                                               
department reviewed  HB 226 for  legal concerns for which  it has                                                               
none.  Mr.  Sniffen opined that HB 226 will  help address some of                                                               
the earlier mentioned security breach issues.                                                                                   
STEVE   CLEARY,  Executive   Director,  Alaska   Public  Interest                                                               
Research Group  (AkPIRG), applauded the committee's  quick action                                                               
in addressing this  national problem.  He  informed the committee                                                               
that he  just learned  that about  185,000 GM  MasterCard holders                                                               
had their personal  information breached again.   The question is                                                               
how and  when these people will  be notified as well  as how best                                                               
these people can protect themselves.                                                                                            
DAN SIMIEM, President, Laborers Local  942, stated his support of                                                               
HB 226.  Mr. Simiem pointed  out that companies that retrieve and                                                               
bank this data should have some  kind of firewall protection.  He                                                               
offered  his  understanding that  the  problem  comes when  these                                                               
companies  go  to smaller  [entities],  which  tend to  open  the                                                               
portals  to the  information.   Therefore, he  requested that  be                                                               
given consideration.                                                                                                            
3:56:54 PM                                                                                                                    
REPRESENTATIVE LYNN  highlighted that  the legislation  refers to                                                               
businesses that use personal information.   He noted that when he                                                               
gets  new  software, it  has  to  be registered,  which  includes                                                               
personal information.   He asked if that would  be included under                                                               
HB  226  or would  it  be  limited  to  large companies  such  as                                                               
REPRESENTATIVE GARA clarified that  [under HB 226] if information                                                               
on an  individual held  by any government  entity or  company has                                                               
been breached,  the individual(s) have  to be told.   He surmised                                                               
that Representative Lynn  is alluding to the  companies that sell                                                               
information, for which legislation was  introduced last year.  He                                                               
said that it's probably worth  another look.  Representative Gara                                                               
clarified that HB  226 relates to stolen  information rather than                                                               
the sale of information.  He  mentioned his concern that the sale                                                               
of  information may  be regulated  by  federal law  and thus  the                                                               
state may  not be  able to  address it.   In further  response to                                                               
Representative  Lynn, he  specified  that HB  226 doesn't  change                                                               
anything  in  regard  to  entering  information  for  a  computer                                                               
information  form, for  example.   However,  he said  that is  of                                                               
concern as well.                                                                                                                
3:58:48 PM                                                                                                                    
REPRESENTATIVE  GUTTENBERG turned  to  the situation  in which  a                                                               
site from  which one has  downloaded information pulls  data from                                                               
an individual's computer  and uses the data.   The aforementioned                                                               
is  a breach  of the  individual's security.   He  suggested that                                                               
most people  don't have  firewalls on their  home computers.   He                                                               
asked if the aforementioned situation is addressed in HB 226.                                                                   
REPRESENTATIVE GARA  reiterated that  HB 226  addresses companies                                                               
that   have   individuals'    personal   information   and   [the                                                               
notification  procedures] required  when they  discover that  the                                                               
information has been  stolen.  This legislation  merely says that                                                               
once the company finds out  that the information has been stolen,                                                               
they have to inform the individuals  immediately.  The sale of an                                                               
individual's  information is  of great  concern, but  he said  he                                                               
didn't know how to regulate it at this point.                                                                                   
REPRESENTATIVE LEDOUX  posed a situation  in which  an individual                                                               
took information  from one  of these  companies that  stores data                                                               
and then sells it.  She inquired as to what would happen.                                                                       
REPRESENTATIVE GARA  reiterated that HB 226  protects people when                                                               
there  has  been  an  unauthorized   use  of  their  information.                                                               
Therefore, if  a company that  holds data discovers  that someone                                                               
has taken  data without the  company's consent, then  the company                                                               
has to  inform those  whose data  was taken.   He said  he wasn't                                                               
sure  of the  federal rules  regarding a  situation in  which the                                                               
person who took the information subsequently sells it.                                                                          
4:01:27 PM                                                                                                                    
REPRESENTATIVE  LEDOUX asked  whether  "they" have  to tell  [the                                                               
individual] that his or her information is being sold.                                                                          
REPRESENTATIVE  GARA  specified  that  this  legislation  doesn't                                                               
address the sale  of the information that has  been authorized by                                                               
the  company housing  the data.   Again,  this is  an issue  that                                                               
should be reviewed, but he said  he didn't know how to address it                                                               
at this point.                                                                                                                  
4:01:45 PM                                                                                                                    
REPRESENTATIVE  GUTTENBERG surmised  that  it  would address  the                                                               
Commerce Clause.  He inquired as  to how those companies that are                                                               
located out of state or out of the country would be addressed.                                                                  
REPRESENTATIVE GARA highlighted that  this legislation includes a                                                               
provision that specifies  that it applies to the  full extent the                                                               
constitution  allows.   Generally,  if there  is an  out-of-state                                                               
company  that is  selling personal  information of  Alaskans, the                                                               
company has "touched  us enough" that the state  can regulate it.                                                               
Therefore, this  legislation applies to companies  located out of                                                               
state if they use the information of Alaskans.                                                                                  
CHAIR   ANDERSON,  upon   determining  there   were  no   further                                                               
questions, closed public testimony.                                                                                             
[HB 226 was held over.]                                                                                                         

Document Name Date/Time Subjects