HOUSE BILL NO. 65 "An Act relating to breaches of security involving personal information, credit report and credit score security freezes, consumer credit monitoring, credit accuracy, protection of social security numbers, care of records, disposal of records, identity theft, furnishing consumer credit header information, credit cards, and debit cards, and to the jurisdiction of the office of administrative hearings; amending Rule 60, Alaska Rules of Civil Procedure; and providing for an effective date." 1:41:33 PM REPRESENTATIVE GARA, SPONSOR, spoke on behalf of himself and co-sponsor Representative John Coghill and made two clarifications regarding HB 65 for the record. He began with AS.45.48.030, Methods of Notice (page 3). When a company realizes that they have released financial information to the public, whether by accident or on purpose, this section requires that the company tell the people affected. Notification must take place through a letter sent to the most recent known address. He said one of the companies had asked if they would have to keep trying to notify a consumer if the address was wrong. Representative Gara said that under the standard in the bill, the company has to write once. They don't have to keep sending the letter. Representative Gara clarified the second issue, 45.48.410, Request and Collection (page 17). This section bans a person or company from selling, trading or making money from Social Security Numbers (SSN). However, there are situations in which the bill allows use of SSNs. He said the most important exception is in 45.48.410(b)(6). A company can always use an SSN if they are not making money by using it, if it has no independent value, or if it is part of a larger transaction such as a credit check or if the SSN is needed to verify identity for debt collection or to prevent fraud. 1:43:49 PM Co-Chair Chenault thought a Social Security card was never intended to be used as identification. Representative Gara said the sponsors agreed. They did not want companies demanding that people use their SSN for identification purposes; however, there is also no ban on it being used as identification. Co-Chair Meyer asked if there were amendments to the bill. Representative Nelson MOVED to RESCIND previous action taken on Amendment #3, 25-LS0311\K.2, Bannister, 2/07/08 (Copy on File). There being NO OBJECTION, the action was rescinded. Representative Nelson read Amendment #3, which deletes "the disclosure of permanent fund dividend applicant records" and all references to the same in the bill. She said the provision was put in by the Judiciary Committee. The battle to not allow the Dividend Corporation to give out applicant information was fought for years and won; she did not want the issue slipped into a bill that is going the other way in terms of providing information. AT EASE 1:47:05 PM RECONVENE 1:51:36 PM Co-Chair Meyer called for questions on Amendment #3. Representative Nelson MOVED to ADOPT Amendment #3, 25- LS0311\K.2, Bannister, 2/07/08 (Copy on File). Page 1, Line 1, deleting "the disclosure of permanent fund dividend applicant records,"; Page 2, Line 4 through Page 3, Line 18, deleting all material and then renumber the following bill sections accordingly: Page 29, Line 17, deleting "sec. 5", inserting "sec. 3"; Page 29, Line 21, deleting "sec. 5", inserting "sec. 3"; Page 29, Line 24, deleting "sec. 5", inserting "sec. 3"; Page 29, Line 26, deleting "sec. 6", inserting "sec. 4". Representative Hawker OBJECTED. LORI DAVEY, PRESIDENT, MOTZNIK INFORMATION SERVICES, spoke in opposition to Amendment #3. Her company had access to Fund Dividend (PFD) information before 2004. She said the loss of access to PFD information has made it more difficult for title companies, banks and attorneys to effectively differentiate people, especially those with the same name. Motznik is not asking to have the same access to information as they had before 2004, when anyone could download the PFD file off the State's website into a database. She said the amendment introduced into Judiciary gives access only to the name, mailing address and year of birth, not to SSNs or information for people under 18 years of age. The information will be used to effectively differentiate people and serve due process. 1:54:47 PM Ms. Davey explained that when Motznik does background screening for employment or housing, they can get name and date of birth from a criminal file and other public records. However, if a person does not vote, own a car, have a hunting or fishing license or show up anywhere else in the public record, there is no way to differentiate a person with a criminal record and no other address information from someone else with the same name. She does not consider the PFD information they are asking to be re-disclosed (name, address and year of birth) to be private information. Representative Nelson asked how companies in other states find information when they do not have access to data bases like the PFD. Ms. Davey assumed in other states companies had more access to tax records, which are not available in Alaska. Representative Crawford referred to a person with his name and a mix-up that resulted in Representative Crawford's PFD check being taken away. He understood both the need to have access to information and to limit it. He wondered how to keep protecting people if access is re-opened. 1:57:39 PM Ms. Davey said the information would be managed similar to how it is managed in the DMV, by limiting the people and companies who have access to the information. There are limited reasons why the information can be accessed. A form must be signed and there must be verification that the business being done is legitimate. The amendment limits the access. She described how Motznik's system tracks requests for information and keeps records indefinitely. Representative Gara wondered what records would be used in states that do not have an income tax. Ms. Davey said she only operates in Alaska and did not know. Representative Gara wondered if tax records were public in other states. Representative Gara wondered if the most recent address information someone could find on someone they were trying to do harm would be the PFD information. Ms. Davey thought that potentially DMV would have updated information. There are other means as well, since voter information is updated with the PFD. For most people that information is already available. 2:00:43 PM Representative Gara voiced concerns about giving out address information. Ms. Davie answered that in Alaska it is difficult to do business without access to the PFD information. Representative Gara reiterated his concerns. 2:02:27 PM Representative Hawker said he MAINTAINED his OBJECTION. Representative Thomas asked if the Division of Elections had the authority to use the PFD to update addresses. MEGAN FOSTER, STAFF, REPRESENTATIVE LES GARA said that she believed they did. Representative Hawker had asked the Division of Revenue (DOR) the same question recently and the answer was yes. Co-Chair Meyer noted that DOR people present were nodding their heads. Representative Thomas pointed out that even if the amendment were voted down, Elections would still have access to the addresses. Representative Nelson said she was happy to be offering the amendment to delete the provision. She did not want to slip major changes into other legislation, especially a bill like HB 65, which tries to limit access to information. She thought if there were strong support for the provision, there should be a stand-alone piece of legislation so that it could be discussed on its own. 2:05:01 PM A roll call vote was taken on the MOTION to ADOPT Amendment #3. IN FAVOR: Nelson, Stoltze, Thomas, Crawford, Gara OPPOSED: Kelly, Hawker, Chenault, Meyer Representative Harris was absent from the vote. The MOTION PASSED (5/4). Vice-Chair Stoltze asked if Amendment #4, 25-LS0311\K.1, Bannister, 1/30/08 (Copy on File), which had passed the previous day, was superfluous. Co-Chair Meyer said yes. AT EASE 2:06:34 PM RECONVENE 2:07:16 PM Co-Chair Meyer referred to new fiscal note for $2 million by the Department of Administration, new fiscal note by the Department of Revenue and new indeterminate fiscal note by the Office of Budget and Management. Representative Hawker wanted an explanation of the $2 million fiscal note. 2:08:15 PM KEVIN BROOKS, DEPUTY COMMISSIONER, DEPARTMENT OF ADMINISTRATION (DOA), gave information regarding the Department's fiscal note. He explained that since the State was the victim of a security breach in 2005, DOA had been requesting funds to strengthen data security. The Department replaced switches and routers on the network and took other measures to secure the hardware and infrastructure. The $2 million requested in the fiscal note would pay for encryption of data so the various state data bases would be protected in the event of another breach. Representative Hawker asked what the $1,765.600 under "equipment" in the fiscal note was for. Mr. Brooks replied that the budget was for both hardware and software. Software is included in equipment when the amount needed is large. Representative Hawker asked for clarification. Mr. Brooks replied that the $2 million in the FY 09 budget is a continuation that would complete and implement a double fire wall to put around all public facing servers. The $2 million in the capital budget completes the implementation of that as well as a network admission control. He added that the detail is in the Capitol budget, but they are separate and distinct projects. The only similarity is the amount. 2:11:20 PM Representative Hawker stated that he believed that the Legislature is only beginning to see the requested funding to deal with data security in Alaska. He pointed out previous funding adding up to approximate $16 million listed on the second page of the fiscal note. He voiced concerns regarding long term planning. Mr. Brooks agreed but wanted to list every dime that has gone into security. He said there is money in the capital budget for the proposed project and that the Department did have a five year plan. The encryption budgeted is in that plan. He emphasized that the encryption needed to be done as soon as possible; HB 65 points to the urgency to encrypt data. 2:14:33 PM Representative Hawker emphasized that he was not arguing the merits of encryption. He wondered if HB 65 places a burden of responsibility on the State. Mr. Brooks answered that from the Department's perspective, the State is treated like any other keeper of data. The State is not in the business of making profit from the data but still keeps enormous amounts of personal data. Representative Gara clarified that HB 65 did not require data encryption, although it is a good, safe practice. Mr. Brooks agreed that HB 65 did not require encryption, but DOA believes encryption is a prudent thing to do in light of penalties in place in the bill. Representative Hawker asked what penalties HB 65 would impose upon state employees or the State itself. Mr. Brooks answered that state employees would be covered under a public officials bond, so there would be no personal liability. However, the bill has been amended to include actual economic damages caused in a breach. There are also costs to notify. He acknowledged positive amendments that will enable mass notifications, but thought the State had vulnerabilities that other companies did not have because of the amount of personal data the State maintains. 2:17:17 PM Representative Hawker reiterated concerns about the fiscal note and the enormity of data security issues. 2:18:11 PM Mr. Brooks agreed that the State will need to be diligent in security efforts, as the level of sophistication of hackers is growing. Co-Chair Meyer pointed out that the new fiscal note by the Department of Revenue was deleted because Amendment #3 had passed. Vice-Chair Stoltze MOVED to report CSHB 65 (FIN) out of Committee with individual recommendations and with new fiscal note by the Department of Administration and new indeterminate note by the Office of Management and Budget. There being NO OBJECTION, it was so ordered. CS HB 65 (FIN) was REPORTED out of Committee with "no recommendation" and with new fiscal note by the Department of Administration and new indeterminate note by the Office of Management and Budget.