CSHB 65(FIN)-PERSONAL INFORMATION & CONSUMER CREDIT  1:54:04 PM CHAIR ELLIS announced CSHB 65(FIN) to be up for consideration. [The committee was considering SCS CSHB 65(L&C), version 25- LS0311\V.] KAREN LIDSTER, staff to Representative John Coghill, co-sponsor of HB 65, was available to answer questions. MEAGAN FOSTER, staff to Representative Les Gara, co-sponsor of HB 65, started reviewing the changes to version V. On page 11, line 9, the original bill allowed $10 for placing a security freeze per credit reporting agency and the CS takes that to $5 based on AARP testimony. SENATOR BUNDE asked what a freeze would actually cost. MS. FOSTER answered that states' charges vary with $15 being the most expensive. Indiana has no charge for placing a freeze. She has not heard what actual costs are to the credit bureau. 1:59:37 PM MS. FOSTER said the second change is on page 11, line 23, for victims of identity theft to receive a freeze at no cost. This was requested by AARP. The original bill had no exemptions. SENATOR BUNDE said he was curious about the unfunded mandate. CHAIR ELLIS remarked that is an open issue at this point. MS. FOSTER went to page 12, lines 3-6, rights given to consumers, that outlined changes in the fee structure, a conforming change. 2:01:23 PM MS. LIDSTER went to page 16 and recording of documents. The original bill dealt with the DNR's concerns by making the exception for them to be able to accept whatever legal document they were required to record. The DNR and the DOL felt that exemption should also be in Section 45.48.400 on page 17, line 20. It states that prohibitions of this section do not apply to a person that is engaged in the business of government and is authorized by law or when the request or collection of the individual's social security number is required for the performance of a person's duties or responsibilities. This makes sure that an individual recording a document in the Recorder's Office was not responsible for the information that was on the document. SENATOR ELLIS asked if this circumstance is particular to the DNR. MS. LIDSTER replied it was brought to their attention by DNR because it has the unique duty of recording documents that may have personal information and it makes copies available. The department is not in a position to start going through those documents and deleting that recorded information. The provision relates to other government agencies or individuals that are authorized by law to perform this work. MS. FOSTER went to page 17, lines 28-29, where "from an individual there" replaced "an individual" with in relation to social security numbers. It was requested by Choice Point as clarifying language. SENATOR BUNDE asked how this applies if you want to cash a check at a bank that wants to see your social security number. MS. FOSTER replied the exemptions allow for disclosure of a social security number if it is needed to complete a financial transaction. 2:06:59 PM SENATOR BUNDE said it prohibits a business from asking, but asked if a person who wants to conduct business there can still volunteer it. MS. FOSTER didn't know how that would be addressed. 2:07:50 PM MS. FOSTER proceeded to page 18, lines 19-22, subsection (5) where "debt collection, fraud prevention and medical treatment" was inserted after "background check on an individual". This is because Premera was concerned that restricting social security numbers would prevent them from giving a patient his medical records. Doctors' offices were also concerned with this issue. 2:10:04 PM SENATOR BUNDE asked if there is a problem in Alaska of people selling social security numbers. MS. FOSTER replied that in the past an information services company allowed downloading of social security numbers. It was advertised on their website; that is no longer there. The numbers were from 1988 fishing licenses. She said that data brokering companies will still sell that information. This would just affect Alaskan records, not those in other states. She said the next change was requested by Choice Point as a clarification - on page 19, lines 8-11, subsection (d), language was added saying "transfer of an individual's social security number for the sole purpose of identifying a person about whom a report or database check is ordered, received or provided is not a sale, lease, loan, trade or rental or the social security number of this section." Finally, she said, on page 20, lines 2-5, the same language used in request or collection was inserted to allow for disclosure of social security numbers for debt collection, identity verification, fraud prevention and medical treatment. This change was requested by Premera. 2:14:20 PM CHAIR ELLIS said they would begin public testimony on the CS. 2:15:33 PM JON BURTON, Vice President, State Government Relations, Choice Point, Washington, D.C. introduced himself. AUDREY ROBINSON, Manager, State Government Affairs, Reed Elsevier, Parent Company of LexisNexis, introduced herself. JENNIFER FLYNN, Director, Government Affairs, Consumer Data Industry Association (CDIA), Washington, D.C. said her agency represents consumer companies like LexisNexis and Choice Point. MR. BURTON recalled their proposed amendments presented last week that they felt were necessary to not only allow the consumer protections in this bill to go forward, but also to removed some impediments to legitimate business activities that are currently going on today in Alaska and across the country. He wanted to briefly respond to some of the changes in the CS and then go into his proposed amendments. He commented that he hadn't seen many of the amendments in the CS and the fact that many of them were attributed to Choice Point came as an utter surprise to him. He asked members to refer to a copy of his proposed amendments from last week. MS. ROBINSON clarified that the amendments presented to the committee were based on the CS as it came over to the committee. So, some of the line numbers were slightly off given the new version. 2:20:19 PM at ease 2:21:52 PM CHAIR ELLIS noted his practice of providing CS to the general public as soon as possible. MR. BURTON said his primary concerns were with the social security number provisions, the credit freeze provisions and the breech notification. He started with the social security number provisions on page 17, line 27, Section 45.48.410. He said one change was made at his request and that was the insertion of language from an individual on line 29. 2:24:00 PM Choice Point's second proposed amendment dealt with Sections 45.48.410, .420 and .430 on pages 17-20. The contentious language is on page 18, line 1, where it says "(1) if the person is expressly authorized by local, state or federal law...." His issue with that is they aren't aware of many statutes, either state or federal, that specifically talk about the government use of social security numbers. His company operates under an umbrella of state and federal regulatory law which talks about the distribution, the sharing and transfer of non-public personal information and these kinds of definitions most of which include social security numbers. Many of their activities are engaged by such federal regulatory statutes such as the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLB), the Driver's Privacy Protection Act and the U.S. Patriot Act. These laws are what they call prohibitive statutes in that they set up things they can not do - except for certain permissible purposes or authorized exemptions. MR. BURTON explained that he has asked the sponsors to make a small language change to contemplate and conform to those federal statutes. The language would read, "if the person is permitted or authorized by local, state or federal law." He said he brought the federal statutes for their review. 2:26:00 PM MS. FLYNN said she had worked on this type of language in many states and while it is seemingly a simple issue, "permitted" and "authorized" are necessary for their businesses to continue providing their services. They feel that particular language complies with federal laws. Once "expressly authorized" is inserted they no longer can actually say they comply with the FCRA and GLB requirements, because those purposes are "permitted," they are not "authorized." MR. BURTON said the language at issue is in three separate social security number sections. So they want the suggested language included in all three sections for conformity as well. 2:27:58 PM MR. BURTON said the next language issue applies to all three social security number sections again. He explained that the bill sets up prohibitions on what can be done with social security numbers and then sets out a list of exemptions. One of the exemptions is for the GLB. His problem is that the GLB exemption it references does not have the legal effect they need to continue legitimate business operations. He has asked the sponsors to redraft the exemption to give what his lawyers said it needed to have legal effect. CHAIR ELLIS asked Ms. Bannister to address this specifically. 2:30:38 PM MR. BURTON said all three social security sections should be changed to have this legal effect. MS. FLYNN reiterated that credit reporting is regulated under FCRA and not being able to legally transmit social security numbers back and forth could stop credit reports from being transmitted to Alaska. CHAIR ELLIS said this came up in other states and asked how those credit agencies dealt with it. MS. FLYNN answered that many states don't particularly touch on social security numbers one way or another. But the states that have brought it up understand the fact that credit reports and the transfer of information not only from a consumer to the credit reporting agency, but the credit reporting agency to, for instance, a bank or to someone who is trying to get a lien or looking at a mortgage title - all those transactions include the social security number and are permissible under the FCRA. They want language to mirror the federal language. 2:34:29 PM MR. BURTON said language in subparagraph (5), page 18, line 19, was in Section 45.48.410 and .430, but not in .420. He asked that it reference all three for effect and conformity purposes. That concluded his suggestions on the social security provisions. 2:35:48 PM CHAIR ELLIS asked Ms. Foster and Ms. Lidster if they wanted to comment in terms of the policy calls, the impact of the tradeoffs and drafting issues. MS. FOSTER said Representative Gara had discussions with Mr. Burton about using "permitted" and the representative thought using it was too broad. Representative Gara also wanted a word that wasn't as narrow as "expressly authorized". They hadn't come to an agreement. CHAIR ELLIS asked if the drafting attorney had suggested language and if it would allow the business practice that other states have allowed. He said this issue really has to be resolved. ED SNIFFEN, Department of Law (DOL), said industry's concerns were that using "expressly authorized" in sections .410, .420 and .430 was too narrow for them to conduct business under the FCRA or GLB. He looked at the acts and even though the headings in some of them use terms like "permissible purposes" or "things that aren't prohibited," it seemed to suggest that "expressly authorized" wouldn't encompass that same meaning. The FCRA provides that "permissible purpose" of a consumer report allows that a consumer reporting agency "may furnish to a person which has a reason to believe that the information is going to be used in connection with a credit transaction involving the consumer". The Act says it is okay to furnish this information to a person and he thought "expressly authorized" could include statements like "may furnish". He suggested dropping "expressly" and using just "authorized". He thought "authorized" had more import than "permitted" because that is very broad. He said it's likely that existing language would allow them to do business, but he was continuing to work on this with them. In looking over Alaska Supreme Court cases, he hadn't found any legal distinction between using "authorized" and "permitted." MR. SNIFFEN said with respect to the exemptions in sections .410 and .430 the "expressly authorized" language is an "either or" under these sections, because regardless of whether something is expressly authorized or not, the bill does carve out an exemption for the Gramm-Leach-Bliley Act. It doesn't matter if it says "permitted" or "expressly authorized," if it's in the GLB Act, you are exempt. He hadn't focused on Mr. Burton's point about whether or not they are technically a financial institution and so that exemption may or may not apply to them, but he would be happy to have that conversation with him. The same for consumer reporting agencies under exemption 4 on page 18, line 16, that provides an exemption for a communication to or from a consumer reporting agency. The FCRA defines a consumer reporting entity to include, he believed, Choice Point and others; maybe that's where their hang-up was. He thought this exemption encompassed all that conduct. However, he said, those exemptions don't hinge on the language "expressly authorized" versus "permitted". CHAIR ELLIS asked him to think about what language would work. GAIL HILLEBRAND, Consumers Union, said on the issue of "expressly authorized" this bill is designed to restrict some conduct that now occurs in the marketplace. That is why it was brought forward. Her concerns with saying simply "authorized" or "permitted" without some kind of affirmative authorization or permission is that federal law allows all sorts of things that it doesn't prohibit. But it is implied. Federal law is structured so there are certain things you can't do and it just doesn't touch the universe of other things; this measure is designed to touch the remaining universe of other things. She thought this was a policy issue, not a drafting issue. MS. FOSTER said the sponsors made a policy call when inserting "for a purpose permitted or authorized by the Gramm-Leach-Bliley Act" into sections .410 and .430. The reason it is not just a conforming amendment and wasn't put into section .420 is because they are trying to prohibit the sale, lease, loan or trade of a social security number and institutions covered under GLB are allowed to engage in that business. It was a hard policy call. 2:46:48 PM CHAIR ELLIS asked if the restriction in the CS is common in other states. MS. FOSTER answered no other state has restrictions as tight as the ones being proposed. CHAIR ELLIS said they would come back to sections .410 and .430. 2:47:55 PM MS. FOSTER said the language for the Fair Credit Reporting Act was inserted because they didn't want to open all the sections of the bill to those purposes covered under it. On page 18, line 23, new language was added in the sale, lease, loan, trade or rental section for conformity with .410 and .430. They don't necessarily want the language in section .420 to conform exactly with the other two sections. It was another policy call that they don't feel the language covering the sale of a social security number should be the same as the language covered under disclosure or request for collection of a social security number. 2:50:00 PM CHAIR ELLIS asked Ms. Bannister's thoughts on the points that had been made from a drafting perspective. TERRY BANNISTER, Legislative Legal, said she could draft whatever is wanted. However, "permitted" is very broad and she didn't know if the parties could compromise on another word. CHAIR ELLIS stated that they wanted to make the right policy call, but they didn't want to make a compromise for comprise sake. 2:53:08 PM MS. BANNISTER asked what Mr. Burton particularly felt using "authorized" would not allow them to do. MS. FLYNN (GLB) answered that their lawyers interpret "authorize" specifically to mean authorize; there is no definitional ambiguity to that word. It means the law has to "authorize" it. The FCRA and the GLB do not do that; they "permit." If a lawyer is looking at what they are allowed to do and it says "authorized" by the FCRA, the FCRA doesn't authorize, it permits. Her company lawyers' interpretation is that they would no longer be able to provide the services under the FCRA. GLB is a broader financial institution law, so the consumer reporting agencies would not be able to provide the services that they provide. If there are certain things under federal law the state doesn't want them doing, that's a different question. But if you're trying to say they should be able to continue doing everything that is permissible under the FCRA and GLB, this would not allow them to do that. 2:55:14 PM MS. FOSTER had no response to that. 2:55:54 PM MS. BANNISTER asked why doesn't subsection (4) [in Section 45.48.410] allow it. MS. FLYNN replied as that particular section is written "a communication to or from a consumer reporting agency" is much too vague. They operate under very strict regulatory and legal guidelines and laws; it would be a disservice for her to say this is okay. Ambiguity is unacceptable and they are talking about secure information. MS. BANNISTER asked what she would use instead of "communication" that would be more concrete. MS. FLYNN replied she would have to discuss that with the companies and the lawyers. CHAIR ELLIS directed that to proceed. SENATOR BUNDE said he thought the crux of the matter is that things are allowed under the federal law that the CS won't allow. He asked if it was the sponsors' intent to limit practices that are allowed under federal law. MS. FOSTER said the sponsors believe what is allowed under federal law is really broad, and they are not comfortable with that, especially for social security numbers. It is the sponsors' intent to narrow those permitted uses. SENATOR BUNDE said he didn't think there were words that would solve this equation. CHAIR ELLIS said he thought language could be found to allow certain business practices. 3:00:21 PM MS. FLYNN asked which purposes they would be limiting. 3:02:06 PM BRYAN MERRELL, Regional Counsel, First American Title Insurance Company and Alaska Land Title Association, said he was concerned about an issue that was raised by the DNR Recorder's Office about making a public record of private information that might be contained in its recorded documents. He had been told those concerns were addressed by an exemption, but he wasn't sure. CHAIR ELLIS responded that no one from DNR was present, but they had represented to staff that they were satisfied with the change. 3:05:39 PM ALAN VAZQUEZ, American Electronics Association, suggested adding an email provision within the methods of notice section as a primary form of notice. They believe this because many of their member companies' primary method of communication with their customers is through email. It is also a quicker way to notify consumers and customers of a potential data breach. Second, he asked that a public exception provision be inserted in the definition of personal information in Section 45.48.090 (7) because business should be encouraged to focus resources on truly sensitive data elements. "It's imperative that the data elements include a definition that is consistent with those that truly lead to a significant risk of identity theft." Last, Mr. Vazquez encouraged them to look at the American Legislative Exchange Council's model definition of "data breach." It is their concern that the current definition in this bill is too broad and would lead to over notification and "boy cries wolf scenario." 3:09:22 PM KENTON BRYNE, Property Casualty Insurers Association (PCI) of America, said he had provided amendments to Representative Coghill's office, and their focus is entirely on Article 2 the credit freeze authorization provision - particularly Section 45.48.100. He said roughly 43 percent of the home, auto and business insurance polices written in America are written by PCI member companies. He said some 40 states have approved credit freeze language; 33 of those states have included some kind of language that allows insurers to continue to access credit related information and consumer reports for insurance related purposes even if a freeze has been placed on the credit file. He said primarily when someone's identity is stolen it is for the purpose of falsely getting access to money and loans. He was pretty sure that every state in the last two years that has crafted a security freeze bill has allowed insurer access to frozen credit files. He explained that insurers use credit information to determine risk to determine a rate. In this day of 24/7 access to insurance they want to keep the process as easy and hassle free for the consumer as possible. So, PCI has asked a number of states, including Idaho, Washington and Oregon, to adopt the language they are proposing for Section 45.48.100 in which they define for purposes of a credit freeze a credit report as a consumer report that is accessed for the purpose of determining someone's eligibility for a loan; this would allow other non- lending purposes to go forward even when a freeze is on file. They would seek to repeat that language in the definition section, 45.48.290(5). As for their other amendments, after consulting with Representative Coghill's staff, they determined the current CS is sufficient to allow insurers to treat a consumer fairly if they have a credit freeze and you're not allowed to access their credit reports if they won't lift the freeze. So they will not seek the amendments they previously sought for Section 45.48.130. 3:14:40 PM SENATOR BUNDE agreed that he doubted someone would steal someone else's identity to get lower insurance rates, but he asked if it is possible someone would try to hack an insurance company's files to steal identities and what could they do to prevent that. If it did happen, how would people be notified? MR. BRYNE replied the answer is in the security breach provisions of the bill. Insurers would be treated the same as other entities that are regulated under the legislation. They are not seeking any change in that. The only change is specific to accessing a file that has been frozen at the request of a consumer. He didn't know that any insurance company's files had been hacked, accessed or breached, but if that occurred, insurers would be subject to the same provisions as other institutions under the legislation. While some insurers are regulated under GLB, it depends on the activity; the provisions do not apply the same way to all companies. The protections that have been contemplated for other financial institutions are the same for insurers under the bill. SENATOR BUNDE commented to the representatives of the sponsors if the argument is about state law preempting federal law, they are having an academic exercise. 3:16:44 PM SHEILA CALCALSURE, Information Policy Officer for the Americas, Acxiom Corporation, said Acxiom is an information policy business and providing information solutions to its clients all over the United States that do things like identity authentication. Its tools are permitted under a Gramm-Leach- Bliley permitted use statute of the federal law. She said the outcome of this bill is very important to the way they serve their clients in Alaska and the United States. CHAIR ELLIS thanked everyone for their testimony and said they would continue with the bill at a later meeting. There being no further business to come before the committee, he adjourned the meeting at 3:18:57 PM.