CSHB 65(FIN)-PERSONAL INFORMATION & CONSUMER CREDIT  2:30:23 PM CHAIR ELLIS announced CSHB 65(FIN) to be up for consideration. KAREN LIDSTER, staff to Representative John Coghill, co-sponsor of HB 65, presented a sectional analysis of the bill. Section 1 talks about the care of records and how they are to be managed from creation to disposal. Section 2 adds a new paragraph relating to the breach of security involving personal information. Section 3 adds a new Chapter to AS 45 on personal information protection act with seven articles - the substance of the bill. MS. LIDSTER said Article 1 describes what is required if there is a breach of information and definitions. Article 2, pages 7- 16, allows a consumer to put a freeze on their personal information and tells how to lift it as well. Article 3, on pages 16-21, establishes parameters for the collection, use, sale loan or trade of social security numbers; it also provides for exceptions and penalties. Article 4, pages 21-24, outlines the measures to follow when disposing of personal information; it also provides for exceptions, penalties and definitions. 2:34:47 PM Article 5, pages 24-26, outlines the rights an individual has when trying to establishing their innocence after their identity has been stolen. Article 6, pages 26-27, describes the limits on businesses regarding the printing of credit or debit card numbers on consumer receipts and allows the last four digits on receipts. Article 7, pages 27-29, provides for the definitions and cites the short title. 2:38:33 PM Significant changes include giving a business the time to decide whether harm was caused if there was a breach in their information (page 2, lines 19-24). The breach needs to be documented, but notification is not required. The damages section was changed to target arbitrary lawsuits against large businesses that might have a breach or mishandle it without any harm being done to them personally by adding "actual economic damages" on the civil side of the penalties. The definition of personal information was narrowed down to delete information that is easily or readily available or public information. 2:40:02 PM MEAGAN FOSTER, staff to Representative Les Gara, co-sponsor of HB 65, added they have worked hard on this bill for a number of years and that they would be happy to answer questions. 2:40:54 PM GAIL HILLEBRAND, Financial Services Campaign Manager, Consumer's Union, San Francisco, said Consumer's Union is a non-profit publisher of Consumer Reports. Its mission is to test, inform and protect, and she is with the protective pieces of the organization. She said HB 65 is a moderate but strong measure and that identity theft is now a world wide crime. The crook can be anywhere in the world, and the victim can be anyone with good credit. HB 65 offers prevention as the best remedy, and it does it in a couple of ways. Article 1 provides notice of breach which tells consumers when certain very narrowly defined categories of important information have been released to the public, stolen or lost and might be in the hands of a crook. More than 35 states have enacted some legislation on this issue. Alaska takes an in-between approach by narrowing the scope of the information, saying it has to include the consumer's name and that a determination cannot be made that there is no risk before a consumer has to be told about it. With a security freeze the concept is the consumer gets to lock up who gets to see their credit files. Everyone gets a choice of using it with a state security freeze law. MS. HILLEBRAND said the pricing and fees are kind of in the mid- range and she pointed out that in Indiana consumers pay no fees and Montana has them pay $3/pop. She summarized that "it's kind of a mid-range but well-crafted proposal." She said this measure has some social security provisions that are common in a dozen or more states such as don't print social security numbers on a card and don't mail it except in certain circumstances. She said they were very pleased to support this measure. 2:44:00 PM STEVE CLEARY, Executive Director, Alaska Public Interest Research Group (AKPIRG), supported HB 65. He said this issue had been on their front burner for a number of years. Identity theft costs consumers time and money and on the average it takes over 200 hours to clear a name. 2:46:59 PM JOHN BURTON, Vice President, Government Relations, Choice Point, said it is a publicly traded company that provides data and information services to businesses, government, legal and law enforcement communities at the local, state and federal level. They don't make loans, but help facilitate them with their products. He said they had spent a lot of time on this bill on the House side and that he would continue to work with them on it. He said HB 65 is "quite a large bill" and covers three primary issues: social security number regulation, data breach notification and the credit breaches. While he had on-going concerns about many of those provisions, he said he would focus his comments on the social security number provisions. MR. BURTON clarified that Choice Point and companies like it don't oppose these issues. Approximately 39 states have passed credit freeze legislation. The three national credit reporting agencies have voluntarily adopted this procedure where a person can call up and freeze access to their credit report. Another 39 states have already passed breached notification bills, and approximately 29 states have passed legislation that seeks to protect the public access and availability of social security numbers. Most of these states are modeled after the California law. His interests are two-fold, he said: state by state consistency and Choice Point's ability to be compliant with all of them. None of the state laws are exactly identical, but he works to get them as consistent as possible on core applications. 2:49:38 PM MR. BURTON said all companies like Choice Point that do activities related to non-public personal information (which could include social security numbers) are already regulated on the federal level in addition to whatever state laws may be in existence; these include the federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and to a lesser extent, the federal Drivers Privacy Protection Act. If companies like his can't work under these laws, services will become slower, less efficient and more expensive. An interruption in services that are taken for granted now could occur - like the ability to walk in and get on-the-spot credit and the ability to get an instant binder from an insurance company to buy a car and drive it off the lot. Unfortunately, Mr. Burton said, as drafted the bill does not give them the kind of state by state allowance to continue their operations - even under existing federal law. They have far less problem with the legislative aspect of this bill than with the legal aspect. Many provisions that are in other state laws that they need in this bill are there, but as drafted they don't have any legal effect. So, he asked them not to delete anything, but to redraft certain sections. 2:51:27 PM SENATOR DAVIS asked for a copy of his drafted legal concerns. 2:52:02 PM AUDREY ROBINSON, Reed Elsevier, said they own Lexus Nexus, and provide legal services like looking up case law and public records information. However, they also provide many of the same services that Choice Point provides and she echoed Mr. Burton's sentiments. She didn't oppose HB 65, but wanted it to be consistent and workable for businesses. She wanted to focus on the social security provisions and how they would affect business here. First it involves Patriot Act compliance. Under that federal law, banks are required to get identifying information, including a social security number, to check against a known terror watch list. They do this to make sure the person opening the account isn't funding fundamental extremists or terrorism. Reed Elsevier maintains those lists, but the banks don't. The banks can gather that information through the Patriot Act, but they would no longer be able to transmit it to her to check against the terror watch list, and they similarly wouldn't be able to transmit it back to them so they could issue a bank account. Though the bill seeks to say that federal and state laws would not be harmed by this, they would say their business practices would, in fact, be harmed by not being able to engage in that transaction. 2:54:48 PM An additional transaction Reed Elsevier wouldn't be able to engage in is reporting judgments for credit reporting purposes. They receive lien and judgment information from states and when this information is transmitted to them it has social security numbers for matching to the appropriate person. Under this bill, they would no longer be able to collect that information or transmit it to the credit bureaus. If credit bureaus can't receive the judgment information from them, it won't appear on the credit report, and if that's the case, she didn't think the judgment would be satisfied. She asked the committee to keep the status quo for businesses that are using social security numbers for legitimate business purposes. CHAIR ELLIS asked if the problem is that the bill drafting needs to have legal import. MS. ROBINSON replied yes. For example the Fair Credit Reporting Act gives seven permissible uses for non-public personal information which includes the social security number; she clarified that they are "permitted" to use them under this act. They are also "authorized" to get it under the Gramm-Leach- Bliley Act. The language in the bill isn't consistent and refers to "authorized use" and "express authorized use". It's a semantic issue that needs to match with federal language that says "permits." 2:57:35 PM KEVIN BROOKS, Deputy Commissioner, Department of Administration, said he is pleased with the amendments. But he said the Department of Law still has concerns over exposure issues. The state collects data from many different sources like vital statistics, motor vehicles or the Permanent Fund. Through governing it is required to collect and keep data on citizens of the state and others. MR. BROOKS explained that their networks and systems had been developed incrementally over the last 20-plus years and they are doing as thorough of an analysis as they can on the state's security. The state had a data breach when some of its servers were breached in January 2005. Since that time they have been making significant investments in security infrastructure, and he anticipates having to continue doing that. He said security folks tell him it happens on a daily basis now, and it's not someone in their garage anymore. It's often very sophisticated government to government operations. CHAIR ELLIS asked if he shared private business concerns about semantic language issues. MR. BROOKS answered that is beyond his purview, and he suggested asking Mr. Sniffen at the Department of Law about it. 3:01:17 PM ED SNIFFEN, Department of Law (DOL), said he would look into questions and get back to them. 3:01:54 PM SENATOR STEVENS stated the key issue is if businesses have to react to passed laws, that it is the responsibility of Mr. Brooks and others in the administration to meet with those people and let the legislature know if it's true or not so they can decide how to proceed. 3:02:59 PM PAT LUBY, Advocacy Director, AARP, said identity theft is a growing concern for its members. He said many veterans went through this experience when the Army's computer was stolen, because their social security numbers were used as their Army identification numbers. He and Senator Stevens have just dealt with it, and until they were notified, the computer located and no breach was found, many veterans had a certain anxiety. He said one of the concerns is the impact on business throughout the U.S. of all the identity theft that takes place. It costs millions for the individuals who have lost their identity and have money stolen from them, but it costs billions for many of the businesses that have suffered losses because of identity theft. Finally, he said AARP studies identity theft because it is a very serious issue for its members; but it's also a health issue. Research has shown that identity theft victims have a higher death rate than non-victims. "Identity theft can kill you." MR. LUBY said HB 65 builds on some excellent work that Senator Gene Therriault and Senator Gretchen Guess worked on in the last session. "It was good a couple of years ago, it's even better right now, and we encourage your positive support of it." CHAIR ELLIS remarked that his bill was subsumed into the Therriault/Guess effort. He said HB 65 would be held for further work. There being no further business to come before the committee, he adjourned the meeting at 3:05:50 PM.