HOUSE BILL NO. 65 "An Act relating to breaches of security involving personal information, credit report and credit score security freezes, consumer credit monitoring, credit accuracy, protection of social security numbers, care of records, disposal of records, identity theft, furnishing consumer credit header information, credit cards, and debit cards, and to the jurisdiction of the office of administrative hearings; amending Rule 60, Alaska Rules of Civil Procedure; and providing for an effective date." Vice-Chair Stoltze MOVED to ADOPT work draft 25-LS0311\L, Bannister, 2/4/08. There being NO OBJECTION, it was adopted. Representative Nelson asked if the Committee would be addressing amendments. AT EASE: 2:59:09 PM RECONVENE: 3:00:14 PM 3:00:17 PM REPRESENTATIVE JOHN COGHILL, SPONSOR, provided an overview of the working sectional for House Finance on proposed changes to HB 65 (On File). Title: Insert disclosure of permanent fund dividend applicant records on line 5 after administrative hearings. Section 1 AS 40.21.110 Care of records - this sets out the ownership of public records and how they are to be managed from creation to disposal. Section 2 AS 43.23.017 relates to the confidentiality of information on each permanent fund dividend application. Section 3 AS 43.23.017 allows disclosure of the non-confidential applicant information to a business that is licensed under AS 43.70.020. Section 4 AS 44.64.030(a) adds a new paragraph (35) AS 45.48.080(c) which is part of the new Chapter 48 Personal Information Protection Act. Section 5 AS 45 is amended by adding a new chapter Personal Information Protection Act. This new chapter contains a total of seven (7) Articles with individual sections. Article 1. Breach of Security Involving Personal Information Sec. 45.48.010 Disclosure of breach of security Describes what a covered person who owns or [uses] licenses personal information must do in case of a breach of information. This change makes it clear a covered person that owns or licenses information is responsible for disclosure and notification in case of a breach. Covered is described in Sec. 45.48.090 Definitions - to bring conformity to the meaning of person throughout Article 1. Sec. 45.48.020 Allowable delay in notification Describes reasons for delaying notification of a breach of information. Sec. 45.48.030 Methods of notice Describes the methods to be used to notify a person that there has been a breach of information. Lists exceptions to the methods of notification relating to cost and number of consumers to be notified. Sec. 45.48.040 Notification of certain other agencies Describes when it is necessary to notify other consumer reporting agencies about a breach. There are exceptions to these requirements are also set out. Sec. 45.48.050 Exception for employees and agents Lists exceptions for acquisition of personal information by an employee or agent of an information collector. Sec. 45.48.060 Waivers No waivers of these sections are allowed. Sec. 45.48.070 Treatment of certain breaches A breach of information by an information recipient must be reported to the information distributor so they can comply with the notification requirements if the breach occurred to an information system maintained by the information distributor. Sec. 45.48.080 Violations Sets out fines for violations of 45.48.010- 45.48.090 by a governmental agency that is an information collector, and information collectors who are not governmental agencies. Defines "governmental agency". Sec. 45.48.090 Definitions Defines the following terms: (1)breach of the security; (2) ["information collector"] is replaced with: "covered person" means a (A) person doing business; (B) a governmental agency; or (C) a person with more than 10 employees This new subsection (2) describes "covered person" and replaces information collector throughout Article l. (3) "governmental agency" means a state or local governmental agency, except for an agency of the judicial branch. New definition because "governmental agency" is included in "covered person" it needs to be defined. (4) "information collector" means a covered person who owns or licenses personal information in any form if the personal information includes personal information on a state resident. Changes in definition of "information collector" include "covered person" which is described in (2) above. New subsection: (7) "personal information" Page 7, Line 23: Delete [address, or telephone number] after individuals name. Address and telephone number are deleted because this information is readily available in public records. Page 7, Line 31 to Page 8, Lines 1 - 7 Add (iii) except as provided in (iv) of this subparagraph, the individual's account number, credit card number, or debit card number; (iv) if an account can only be accessed with a personal code, the number in (iii) of this subparagraph and the personal code; in this sub-subparagraph, "personal code" means a security code, an access code, a personal identification number, or a passwork; (v) passwords, personal identification numbers, or other access codes for financial accounts. These changes were made to make it clear what information and combinations of information is considered personal information. The combination of numbers, codes, cards, etc. if breached would be cause for notification to an individual. Adding in access codes and PIN numbers, tightened down the requirement on information breach notification requirements. Article 2. Credit Report and Credit Score Security Freeze Sec. 45.48.100 Security freeze authorized Rights of consumers to prohibit release of their personal information. Sec. 45.48.110 Placement of security freeze (a)(1) by [certified] mail Sets out procedures for a consumer to request a consumer credit reporting agency to freeze their information. Page 8, Line 15 Remove requirement that request for freeze be made by certified mail. Sec. 45.48.120 Confirmation of security freeze Describes the responsibility of the consumer credit reporting agency to notify the consumer when a security freeze has been placed. Sec. 45.48.130 Access and actions during security freeze Describes how a consumer can allow access to their information by a third party when a security freeze is in place; timeframe for the consumer credit reporting agency to respond, how an insurer is to treat a consumer's application if a security freeze prevents access to the consumer's information, and what changes are allowed when a security freeze is in place, and notification requirements. Defines "official information" and "technical change". Page 9, Line 27, 28 (d) [immediately] to 15 minutes; Change from immediately to 15 minutes was a more reasonable response time. Sec. 45.48.140 Removal of security freeze Sets out procedure for removing a security freeze, how the request for the freeze is to be made, how the consumer credit reporting agency shall respond, and what identifiers are necessary to remove the freeze. Page 11, Line 22 (b) [immediately] to within three days. Change from immediately to within three days was a more reasonable response time. Sec. 45.48.150 Prohibition Sets out guidelines for reporting to third parties when a security freeze is in place. Sec. 45.48.160 Charges Charges to a consumer regarding security freezes. Sec. 45.48.170 Notice of rights Additional notices to be given when a consumer is provided a summary of rights under the Fair Credit Reporting Act (FCRA). Caution is given that a security freeze may prohibit the timely approval of subsequent requests or transactions. Page 13, [rental housing, employment, an investment, a license, a digital signature] Page 14, Line 17 Internet credit card [transaction] application, an extension of credit at point of sale, and other items and services. Specific items were deleted because they are exceptions to a security freeze in other sections. Application was substituted for transaction for clarification that a freeze does not stop a person from making purchases with their card. This section also advises the individual that there may be charges for lifting a freeze after the person has used their two free lifts. Page 14 - Lines 9 - 11 [Under some circumstances] After the first two requests in a year the consumer credit reporting agency may charge you $2 to temporarily lift the freeze. This change lets an individual know that the CRA may charge $2 to lift a freeze after the 2 free lifts. Deleted "Under some circumstances to remove ambiguity of when the charges might be applied, but gives the CRA some latitude as to whether or not they want to charge for additional lifts. Sec. 45.48.180 Notification after violation Describes the notice required if a consumer credit reporting agency violates a security freeze. The timeframe to report the violation is within five business days after: Page 14, Line 28 insert discovering the release. Inserted the word discovering for clarification that a violation may have occurred but until it is discovered he CRA can not be expected to give notice. Sec. 45.48.190 Resellers Requires that a consumer credit reporting agency acting as a reseller honor a security freeze that is placed by another consumer reporting agency. Sec. 45.48.200 Violations and penalties Describes the rights of a consumer who suffers damages as a result of a breach of their personal information. Page 15, Lines 7 - 10 [actual damages, including loss of wages, and when applicable, damages for pain and suffering;] may recover actual economic damages, court costs allowed by the rules of court, and full reasonable attorney fees. These changes reflect the penalties allowed throughout the Act. The individual has the right to recover actual economic damages, court costs and attorney fees. Sec. 45.48.210 Exemptions Lists exemptions to the use of credit information when a security freeze is in place. The exceptions in Page 16, Line 26 (b) do not apply to a person [who acts] when acting only as a reseller of consumer information. A person may wear many "information" hats. This change makes it clear that exemptions do not apply when a person is acting as a reseller, which is narrower than who acts. Sec. 45.48.290 Definitions Defines the following terms: account review; consumer; consumer credit reporting agency; reseller of consumer information; security freeze; third party. Article 3. Protection of Social Security Number Sec. 45.48.400 Use of social security number Sets out guidelines for handling a person's social security number. Sec. 45.48.410 Request and collection Sets out prohibitions and exemptions for requesting or collecting an individual's social security number. (b)(1) if the person is expressly authorized by local, state, or federal law, including a regulation adopted under AS 45.48.470, to demand proof of the individual's social Security number, to Page 18, Line 26 request or collect the individual's social security number (5) if the request or collection is for a background check on the individual, law enforcement Page 19, Line 12 or other government purposes or the individual's (6) if the Page 19, Line 14 [disclosure] request or collection does not have independent economic value, The changes shown above protect those individuals required to collect a social security number. Disclosure is deleted as this section is not dealing with disclosure of SSN. Sec. 45.48.420 Sale, lease, loan, trade, or rental Prohibitions and exemptions regarding third party use of social security numbers. Page 19, Lines 27 - 29 (c) Nothing in this section prevents a business from transferring social security numbers to another person if the transfer is part of the sale or other transfer of the business to the other person. This new subsection allows the sale or transfer of a business that owns or possesses social security numbers. Sec. 45.48.430 Disclosure Prohibitions and exemptions regarding disclosure of social security numbers to third parties. (b)(5) the disclosure is for a background check on the individual, law enforcement Page 20, Line 21 or other government purposes or the individual's employment, including employment benefits. Or other government is included for consistency with Sec. 45.48.410 and for protection when performing duties that include disclosure. Sec. 45.48.440 Interagency disclosure Describes when and to whom disclosure is authorized. Sec. 45.48.450 Exception for employees, agents, & independent contractors Describes when and to whom disclosure is authorized. Sec. 45.48.460 Employment-related exception Describes when use of a social security number should not be restricted. Sec. 45.48.470 Agency regulations Procedures for adopting regulations necessary for a state agency to carry out their duties and responsibilities. Sec. 45.48.480 Penalties Rights of the state and individuals against persons that knowingly violate these sections and what damages and attorney fees may be recovered. For consistence with other sections that deal with penalties - insert Page 22, Line 4 economic after actual. Article 4. Disposal of Records Sec. 45.48.500 Disposal of records This sets out the measures to be followed when disposing of records which contain personal information. Sec. 45.48.510 Measures to protect access. Describes the measures that may be taken to comply with Sec. 45.48.500 (above). Sec. 45.48.520 Due diligence Lists procedures that if performed show due diligence. Sec. 45.48.530 Policy and procedures A business or governmental agency shall adopt written policies and procedures relating to records disposal. Sec. 45.48.540 Exemptions Compliance to these sections is not required if a government agency or business is required by federal law to act in another way, or the business is subject to and in compliance with GLBA, or FCRA. Sec. 45.48.550 Civil penalty Liability to the state by an individual, business, or governmental agency for violations of these sections. Sec. 45.48.560 Court action Page 24, Lines 1 - 4 actual economic damages court costs allowed by the rules of court, and full reasonable attorney fees. These changes are made to this section consistent with court actions and penalties throughout the Act. Sec. 45.48.590 Definitions Defines the following terms: business; conducts business; possesses; dispose; governmental agency; personal information; records. (4) "personal information" means Page 25, Line 2 (B)(i) name, [address, or telephone number] and. This change will make the definition of "personal information" consistent by removing address and telephone number. Article 5. Factual Declaration of Innocence after Identify Theft, Right to file Police Report Regarding Identity Theft Sec. 45.48.600 Factual declaration of innocence after identity theft Describes the conditions that should exist in order for an individual to petition the superior court for a determination of innocence of a crime involving the theft of their identity. Sec. 45.48.610 Basis for determination Lists the type of information that may be made part of the record for the court to make a determination of factual innocence. Sec. 45.48.620 Criteria for determination; court order Sets the criteria that the court may use to determine a victim's factual innocence. Sec. 45.48.630 Orders regarding records Describes what the court may order regarding the disposition of incorrect records regarding a victim of identity theft. Sec. 45.48.640 Vacation of determination States that a court order may be vacated if there has been a misrepresentation of the material. Sec. 45.48.650 Court form Development of a form to be used under 45.48.620 Sec. 45.48.660 Data base This section allows the establishment and maintenance of a data base of victims of identity theft, and who has authorization to the information. Sec. 45.48.670 Toll-free telephone number Establishes a toll-free number that accesses the information in the data base established in 45.48.660. Sec. 45.48.680 Right to file police report regarding identity theft Sets out rights of an individual to file a police report if they suspect they are a victim of identity theft, and the responsibility of a law enforcement agency to make the report even if they do not have jurisdiction. Sec. 45.48.690 Definitions Defines the following terms: crime, department, identity theft, perpetrator, and victim. Article 6. Truncation of Card Information Sec. 45.48.750 Truncation of card information Describes limits on a business regarding the printing of credit or debit card numbers and the exceptions depending on whether the receipt is produced electronically or is handwritten or imprinted. Sale of devices that print more than the last four digits on a consumer receipt for a credit or debit card transaction is not allowed. Also sets out civil action that an individual can take, and civil penalty to the state. It also describes credit, credit card, debit card, and knowingly. Page 28, Line 1 may recover actual economic damages, [or $5,000, which ever is greater] These changes keep the civil action damages consistent throughout the Act. Article 7. General Provisions Sec. 45.48.990 Definitions Provides definitions of terms. Sec. 45.48.995 Short Title Alaska Personal Information Protection Act. Page 29, Line 17 deleted AS 45.48.750 is amended by adding a new subsection (f). This subsection was included in Article 6 Truncation of Card Information - Page 27, Lines 28-30, subsection (c). New Section 6 Page 29, Lines 17 - 24 AS 45.50.471(b) is amended by adding a new paragraph (53) (A) and (B). Section 7 The uncodified law of the State of Alaska is amended by adding a new section to read: INDIRECT COURT RULE AMENDMENTS (a) AS 45.48.640 changes Rule 60(b) Rules of Civil Procedure effecting AS 45.48.640. (b) AS 45.48.640(b) changes Rule 82, Rules of Civil Procedure effecting AS 45.48.480(b). NEW SECTION: Section 8 - TRANSITION: REGULATIONS. A state agency may proceed to adopt regulations necessary to implement this Act. The regulations take effect under AS 44.62 (Administrative Procedure Act), but not before the effective date of the law implemented by the regulation. Section 9 AS 45.48.470 enacted by Sec. 5 of this Act; takes effect immediately under AS 01.10.070(c). Section 10 Section 8 of this Act takes effect immediately under AS 01.10.070(c). Section 11 Except as provided by secs. 9 - 10 of this Act, this Act takes effect January 1, 2009. 3:19:22 PM Representative Coghill noted that the bill's sponsors had worked with State agencies regarding penalties and provisions, and have strongly encouraged the agencies to protect information. He acknowledged that many procedures have already changed. 3:22:30 PM Co-Chair Meyer said there were amendments to the bill that would be proposed. He asked if there were questions based on the changes proposed in the working sectional. Representative Hawker commented that a number of his previous concerns had been addressed. He wondered if consensus had been reached regarding the whole. 3:23:48 PM Representative Coghill thought that aside from policy calls that he could not agree with, most concerns had been addressed. He pointed out that the bill proposes a SSN protection scheme that is probably the toughest in the nation and he thought there would be some opposition. As far as the freeze goes, the bill is well within national limits. Truncation is less of an issue. He listed some of the problems insurance companies and doctors had with the bill and added that those problems are connected with billing issues and not identification purposes. Representative Hawker wondered if all of his concerns related to notification by email had been addressed. 3:26:30 PM Representative Coghill responded that the sponsors thought mail would be the best form of notification. He thought there might be some discussion about whether the protection requirement should apply to both paper and electronic records. Representative Gara said the issue of the form of notification is addressed by the bill. When a company has personal financial information that is accidently released to the public, if a very large number of people are affected, the company can notify by email. If the number of people affected is a smaller number, the company has to send a letter. Representative Hawker said he was comfortable with the approach. 3:29:08 PM HB 65 was heard and HELD in Committee for further consideration.