HOUSE FINANCE COMMITTEE January 23, 2008 1:39 p.m. CALL TO ORDER Co-Chair Meyer called the House Finance Committee meeting to order at 1:39:31 PM. MEMBERS PRESENT Representative Mike Chenault, Co-Chair Representative Kevin Meyer, Co-Chair Representative Bill Stoltze, Vice-Chair Representative Harry Crawford Representative Les Gara Representative Mike Hawker Representative Reggie Joule Representative Mike Kelly Representative Mary Nelson Representative Bill Thomas Jr. MEMBERS ABSENT Representative Richard Foster ALSO PRESENT Representative John Coghill; Kevin Brooks, Deputy Commissioner, Department of Administration; Clyde (Ed) Sniffen Jr., Senior Assistant Attorney General, Department of Law; Marie Darlin, Alaska Association of Retired People; Jon Burton, VIP Government Relations, Choice Point; Audrey Robinson, Manager, State and Government Affairs, Reed Elsevier/LexisNexis; Jennifer Flynn, Director, Government Affairs, Consumer Data Industry Association. PRESENT VIA TELECONFERENCE Gail Hillebrand, Senior Attorney, Consumers Union; Steve Cleary, Executive Director, Alaska Public Interest Research Group (AkPIRG); Lori Davey, Motznik Information Services; Richard Crabtree, Attorneys at Law, Anchorage; Mark Lawrence, Anchorage; Lorie Buckley, Director, North County Process, Anchorage. SUMMARY HB 65 "An Act relating to breaches of security involving personal information, credit report and credit score security freezes, consumer credit monitoring, credit accuracy, protection of social security numbers, care of records, disposal of records, identity theft, furnishing consumer credit header information, credit cards, and debit cards, and to the jurisdiction of the office of administrative hearings; amending Rule 60, Alaska Rules of Civil Procedure; and providing for an effective date." HB 65 was HEARD and HELD in committee for further consideration. HOUSE BILL NO. 65 "An Act relating to breaches of security involving personal information, credit report and credit score security freezes, consumer credit monitoring, credit accuracy, protection of social security numbers, care of records, disposal of records, identity theft, furnishing consumer credit header information, credit cards, and debit cards, and to the jurisdiction of the office of administrative hearings; amending Rule 60, Alaska Rules of Civil Procedure; and providing for an effective date." 1:40:34 PM REPRESENTATIVE COGHILL, testified in support of HB 65, which he referred to as the "Alaska Personal Information Protection Act." He maintained that HB 65 would help the State manage personal information with accountability. Representative Coghill explained that federal laws regulate different industries in different ways relating to privacy protection, which complicates the process. The issue is how to devise a law that protects consumers and their identity information while allowing business industries to use that information properly. When the information is not used properly, the question is how to hold businesses accountable and how to notify consumers when their identity has been compromised. Representative Coghill highlighted the section of the bill addressing Permanent Fund reporting and access to information connected to the Permanent Fund. He briefly described each of the seven articles making up the main body of the bill. 1:44:47 PM Article 1: Breach of Security of Personal Information - requires disclosure of breaches of security involving personal information. Article 2: Credit Report and Credit Score Security Freeze - allows consumers to freeze and unfreeze access to their credit information at their discretion. Article 3: Protection of Social Security Number - restricts sale and distribution, puts it in a more restrictive environment than the law sets up currently. Article 4: Disposal of Records - requires complete destruction of electronic and paper records that contain personal information. Article 5: Right to File Police Report Regarding Identity Theft - allows a person that falls victim to identify theft the right to a police report to make a factual declaration of innocence. Article 6: Truncation of Card Information - sets up guidelines for use of card numbers on receipts. Article 7: General Provisions - provides definitions for terms within the chapter, and cites the short title of this bill as the Alaska Personal Information Protection Act. 1:48:24 PM Representative Joule asked about identifying a social security number (SSN) using the last four numbers. Since Alaskans born in Alaska all have the same first three numbers, if the last four numbers are known, only the middle two numbers have to be found. Representative Coghill thought when the SSN was out for public view the last four numbers should be truncated. Representative Hawker said the bill only pertains to truncation of credit card numbers, not the SSN. 1:51:55 PM Representative Gara was identified as a co-sponsor of House Bill 65. He confirmed that the bill forbids the selling and trading of any part of an SSN. The four-number truncation issue applies to a growing problem with using credit cards. Not all copies have to be truncated according to federal law. House Bill 65 requires the merchant copy to be truncated as well as the customer's copy. 1:53:38 PM Representative Hawker noted the issue is complex and wondered whether some sections of the bill are less controversial than others. Representative Coghill thought the least contentious one would be the disposal of records, but still thought amendments would be proposed for every section. He anticipated response in relation to the credit score freeze, dealing with both costs and process; also with buying, selling or trading SSNs. He thought the general provisions and definitions sections in each area might raise issues; for example the difference between a credit reporting agency and a consumer credit reporting agency. He thought there would be more agreement about breach of security issues. 1:57:13 PM Co-Chair Meyer asked if other states were referenced. Representative Coghill said 32 other states have similar laws. Alaska will benefit from that experience. House Bill 65 has the right template and some good policy, but there will be some policy decisions. Representative Gara added that all or most of the sections are on subjects that other states have regulated. 1:59:54 PM Representative Coghill pointed out that when Alaska began the debate, not many states had passed laws. On some issues, such as SSN, Alaska is ahead. Representative Nelson noted that there was only one letter of opposition in the backup materials provided and that was to technical points (letter from AOL, Google, etc.). Representative Coghill reiterated that the bill was in everyone's best interests. 2:01:33 PM Representative Nelson voiced concerns about the way the bill was amended in Judiciary to allow access to Permanent Fund records by businesses. Vice-Chair Stoltze stressed the difficulty victims of identity theft experience. 2:04:32 PM Representative Coghill expressed his determination to advocate for individual Alaskans and also his sympathy towards businesses that need to move information while trying to navigate both state and federal laws. 2:06:04 PM Co-Chair Meyer wondered if municipalities have addressed the issues. 2:07:15 PM KEVIN BROOKS, DEPUTY COMMISSIONER, DEPARTMENT OF ADMINISTRATION provided information on the legislation. The State's approach to the bill has been twofold: first, how the State, as the keeper of numerous records, would be affected by penalties contemplated by the bill; and second, how the State would manage the considerable amount of data necessary to the business of government, from retirement and Permanent Fund data, to business and payroll records. 2:09:15 PM CLYDE (ED) SNIFFEN JR., SENIOR ASSISTANT ATTORNEY GENERAL, DEPARTMENT OF LAW, CONSUMER AFFAIRS described one of his job responsibilities as enforcement of Alaska's Consumer Protection Act, including education about identity theft. The State's concern with the bill includes provisions that expose the State to liability for individual lawsuits that seek to recover both economic and noneconomic damages. Under current state law, noneconomic damages are capped at $400,000 per individual. Mr. Sniffen described a hypothetical scenario in which 500,000 SSNs get released, resulting in several tens of billions of dollars in potential liability. The State has been working with the bill's sponsors to limit damages to economic losses. He acknowledged that people should be compensated for actual losses, but emphasized that non-economic loses can create significant problems for the state of Alaska in terms of exposure. 2:11:46 PM Mr. Sniffen also addressed the issue of the Permanent Fund Dividend (PFD) exception added to the bill in Judiciary. That section creates a broad exception to the disclosure of PFD applicant information. As written now, anyone with a business license who goes to the PFD office and is able to show a driver's license (which is easy to obtain) and says they are the person on the license can ask for and obtain information. There is no review of that request. The current language of the bill allows access to the information, including SSN and banking information, to nearly anyone who wants it. 2:13:01 PM Vice-Chair Stoltze appreciated Mr. Sniffen's testimony on the issue of the State's exposure, but thought a penalty provision for bad action might be an important motivator. Mr. Sniffen said the State operates differently than private industry. A business might be motivated to take action in response to a bill like House Bill 65. They can insure against the loss and build in procedures to protect against it. The State doesn't have those options but is required by law to collect, use and disclose information, including personal information. Certainly the State needs to be motivated to take the precautions the bill requires. Motivation is built into the bill in the form of civil penalties, for example. However, the bill exposes the State to subjective damages that would not further the goals of the legislation. Mr. Sniffen did not think these penalties would motivate agency personnel to act differently than if the provisions were not there. 2:15:47 PM Representative Hawker agreed that the economic loss limit made sense and thought the committee would agree. He disagreed with Mr. Sniffen's analysis regarding access to PFD information. He asked whether there was any substantive difference between making the name, mailing address and birth year of an applicant publicly available, and the information on the voter registration list, which is publicly available, by law, without stricture. Mr. Sniffen did not know about voter registration access. Typically information that could be found in a phone book is not considered harmful. This bill requires that for information to be considered personal it has to have features such as person's last name and first initial plus another identifier such as PIN number or SSN. 2:17:18 PM Representative Hawker thought there was far more information available in the voter record. He spoke to Mr. Sniffen's testimony regarding the availability of PFD information such as SSN and banking information. The language in the bill (page 3, line 16 of CS (JUD)) would limit disclosable information to name, mailing address and birth year of the PFD applicant. He asked if that would change Mr. Sniffen's testimony. Mr. Sniffen said it would, although the birth year was still troublesome. 2:20:02 PM Representative Gara said it was hard to speak for those who passed the law that prevented information from being made available in the past. He thought it was spurred by a stalker finding a home address and finding a person. He could not recall the specific case, but it did not end well. The PFD data base is the most comprehensive and updated data base of personal information the State has. Voter registration information tends to be more dated. Representative Nelson agreed with Mr. Sniffen's two points regarding exposing the State to liability and the PFD information. Having the information available leaves the State liable for serious non-economic damages. She didn't think having a home versus mailing address would make a significant difference because of how easy it is to find out where someone lives in small communities. She did not think people who are victims of stalking or domestic violence should be precluded from applying for a dividend because they're afraid of their information getting out. Representative Nelson was surprised that the legislation was amended in the House Judiciary Committee. The language expands the amount of information people can find on a citizen. She thought the ability for businesses or candidates to have access to PFD information should not be within the bill, but should be separate. Representative Nelson noted that identity theft is often a group effort. For many, this is a full time job. Some have been prosecuted using the RICO statute. She wondered if Alaska was looking at that. Mr. Sniffen advised that the State is not currently looking at the federal end. Most identity theft is prosecuted by the State's criminal division. He clarified that identity thieves do operate in a variety of ways; some specialize in some areas, some in others. They sell each other information. It's best to limit availability to even small pieces of information. 2:26:28 PM Co-Chair Meyer asked if the municipalities had been consulted. Mr. Sniffer replied they had not. Co-Chair Meyer asked about the fiscal note. Mr. Brooks explained that the fiscal note request was in the amount of $2 million dollars for encryption. There are also dollars included in the capital budget to encourage the State to look at all business practices, especially the disposal of paper. The department has submitted appropriation requests to update security since an attack on the State's network in 2005. Securing the State's data will be an on-going process. There are more and more sophisticated attacks on the State's databases. 2:29:00 PM Representative Gara asked if there would be testimony taken from the Office of Risk Management. He wondered if there would be many claims for non-economic damages; he thought Risk Management would say that less than 1 percent of the cases against the State would have $400,000 in non-economic damages awarded. Mr. Brooks stated those cases do exist even though they are a minority and offered to provide the requested information. The exposure is huge because of the multitude of data bases. Mr. Sniffen added that even at 1 cent on the dollar, there would be billions of dollars of liability. Attorneys could make a case that, whether a person has suffered any monetary harm at all, knowing their personal information has been compromised creates undo anxiety. He anticipated emotional distress claims. Economic damages are not the issue; the non-economic, subjective ones are of greatest concern. 2:32:01 PM MARIE DARLIN, COORDINATOR OF CAPITAL CITY TASK FORCE, ALASKA-ASSOCIATION OF RETIRED PERSONS (AARP), thanked members for the work done on the legislation. (Letter on file.) AARP believes that HB 65 will be one of the most comprehensive anti-theft bills nationwide. Articles 2 and 3 (Credit Report and Credit Score Security; Protection of SSN) make a good start on the problems. She pointed out that older identity theft victims have a higher mortality rate than non-victims of the same age. She anticipated that the legislation would help address those concerns and urged passage of the bill. 2:35:31 PM JON BURTON, VICE PRESIDENT, GOVERNMENT RELATIONS, CHOICE POINT, represented an information services company working for businesses and government. He testified that ChoicePoint does not oppose data breach notification, nor efforts to limit availability to SSNs. Their issues are related to compliance and consistency. Since there are no federal laws, his company has to work with a wide variety of state laws. ChoicePoint's main concerns about HB 65 relate to SSN provisions. They would like to limit the availability of SSNs in the public arena. 2:41:03 PM Representative Joule referred to a television commercial about protecting identity and wondered if the issue was stopping the numbers getting out there, or how the numbers got used. Mr. Burton said that the question of whether the SSN is the key to the lock or just one of the tools to open the lock is an on-going policy debate. 2:43:51 PM Representative Hawker spoke to the section of the bill that prohibits the sale, lease, loan, trade or rental of an individual SSN to a third party. He asked if Mr. Burton had any concerns that the prohibition might prevent his corporation from selling a business unit where the data basis including that information is a significant asset. Mr. Burton agreed that kind of transaction would be impacted by the bill. 2:46:11 PM Representative Gara pointed out that the bill was first filed right after the 2004 ChoicePoint breach. One of the provisions of the current bill says that when a company releases personal information and then finds out about it, they have to notify the people whose information was breached. When the ChoicePoint breach occurred, Californians were notified before Alaskans. He asked Mr. Burton to explain. Mr. Burton confirmed the company was breached and said they did notify Californians first because California was the only state with a law requiring notification. ChoicePoint did voluntarily conduct a fifty-state notification. He said the complications of the 2004 breach and aftermath illustrate the need for consistency across the states. 2:48:25 PM AUDREY ROBINSON, MANAGER, STATE AND GOVERNMENT AFFAIRS, REED ELSEVIER/LEXIS/NEXIS testified that her company does not oppose House Bill 65. Their issues focus on the security breach notification provisions of the bill, specifically related to the definitions section. Most states have similar legislation with about five items that must be linked in order to require a security breach notification. House Bill 65 creates more of a risk, alerting possible spammers to target someone, potentially increasing the number of notifications that can be given, which tends to make it difficult for consumers to discern which are important enough to require action. The bill also doesn't have a risk of harm standard. 2:51:19 PM MS. Robinson agreed with the other companies she carried the letter for (on file) on the point that email notification of breach would be reasonable. Reed Elsevier is also concerned with liability. They are supportive of civil actions and feel class actions are inappropriate means of remedying the situation. 2:55:01 PM Representative Hawker clarified the issue of electronic records vs. paper records and asked Ms. Robinson if a reading of the bill could be construed to include paper records with addresses. Ms. Robinson replied that other state law does not include address and phone number in the personal information definition. She felt the provision would make the definition overly broad; a mis-delivered piece of mail could be a breach and require notification. 2:56:51 PM Representative Gara turned to page 7 of the bill and pointed out that the definition of personal information refers to more than an individual's name and address. It must be a combination of name, address or telephone number and one or more other elements such as SSN, driver's license number or account numbers. Those are the things not allowed to be released to the public. Ms. Robinson replied that a piece of mail such as an opened bank statement that was mis-delivered would be considered a breach. Representative Gara disagreed. 2:58:29 PM JENNIFER FLYNN, DIRECTOR, GOVERNMENT AFFAIRS, CONSUMER DATA INDUSTRY ASSOCIATION identified her company as representing the bulk of credit reporting agencies across the country. She focused on the freeze provisions in the bill. 3:00:01 PM Representative Gara revisited his previous point and stressed that information collectors are required to notify a person if an individual's personal information has been breached. One individual does not have to notify another if they receive their mail by accident. 3:00:20 PM Ms. Flynn continued with her testimony, stating that her company did not oppose the bill and the intent behind it, but that they are concerned about consistency. At this time they have to consider the laws of 39 different states, plus Washington, D.C., regarding security freeze. Their goal is to help create as much consistency as possible, so they can continue to do business. They intend to work closely with Representatives Gara and Coghill regarding specific technical changes. Ms. Flynn identified California as the state with the longest experience with this kind of law. Most other states tend to mirror California's language. She compared HB 65 to California law, which has been in existence for six years. She observed that HB 65 calls for immediate lifts and removals. She referred to the provision for notification of erroneous release and observed that entities are generally given five days for notification after discovery. "After discover" would need to be added. There is concern regarding the placement of the reseller provisions. She favored a fee structure similar to California's: $10 to lift, place or remove. She acknowledged that other states have provided other fee structures. She stressed that her organization supports many aspects of the legislation (SSN, breach, freeze and security provisions) and felt the suggested changes would help get the support of consumer reporting agencies, while providing protection for Alaska. 3:05:21 PM Representative Hawker commented on credit freeze and the strong concerns indicated by the public especially regarding credit agencies. He asked if a standard had been established. Ms. Flynn stated that the freeze is a voluntary program and that there is model legislation established in how to freeze. Representative Hawker thought having the sponsors reconcile that standard with the proposal before the Legislature would be a good basis from which to move forward. 3:08:41 PM Representative Gara commented that even if Alaska did conform to the standard there would still be differences between states. Ms. Flynn replied that there is much conformity with the standard. She listed some of the standard provisions of the model legislation. Representative Gara asked about fees. Ms. Flynn explained that it costs $30 dollars to place the freeze. It costs $30 to lift the freeze for any period of time. The service is free if the person is a victim of identity theft. Representative Gara asked how many states charge less than $10 each. Ms. Flynn responded that the range on average is between $0 and $12, so a standard would be $5-$10. 3:13:04 PM Representative Crawford inquired who she had discussed the model legislation with in Alaska. Ms. Flynn responded that their lobbyist, Kim Hutchinson, had spoken to a number of legislators over time. 3:14:59 PM GAIL HILLEBRAND, (TESTIFIED VIA TELECONFERENCE), SENIOR ATTORNEY, WEST COAST OFFICE OF CONSUMERS' UNION, identified herself as one of the drafters of the Consumers Union model law on security freeze, notice of breach and other identity theft protections. They built the model on California's law and added improvements as other states made them. Ms. Hillebrand described some of the basic ideas of the model. The first is prevention. The security freeze gives consumers an opportunity to stop opening new accounts in their name, such as cell phone accounts. Sixteen percent of Alaska's identify theft complaints were about false utility accounts. She stressed the lack of consistency among the existing state laws and recommended consistency with the stronger states. California, Illinois, New York and Texas have a strong no-loophole approach. The customer gets the notice of breach if certain combinations of things occur; then they can decide whether to take action. Consumers Union is concerned about consumers not being given enough notice. Ms. Hillebrand discussed other states' approaches to SSNs. She cautioned against broad exemptions that simply refer to federal statutes, such as the Fair Credit Reporting Act, because those statutes were crafted for much different purposes than restricting the collection, use or sale of SSNs. 3:23:21 PM STEVE CLEARY, (TESTIFIED VIA TELECONFERENCE), EXECUTIVE DIRECTOR, ALASKA PUBLIC INTEREST RESEARCH GROUP (AKPIRG) said his organization has been advocating for consumers in Alaska since 1974 and supports House Bill 65. Alaska topped the nation in fraud complaints in 2005, including identity theft. Consumers can spend over 175 hours and $1000 to remedy the effects of identity theft. The Alaska Public Interest Research Group is most excited about the security freeze and mandatory notification because those tools help consumers protect themselves from identity theft. 3:27:32 PM LORI DAVEY, (TESTIFIED VIA TELECONFERENCE), MOTZNIK INFORMATION SERVICES testified in favor of House Bill 65. She supported the bill's definition of what constitutes "personal information" and legal recourse for its misuse. She supported re-authorizating the use of PFD names, mailing addresses and year of birth for legitimate business purposes and described the effects of the loss of access to PFD mailing addresses in 2005. She maintained that the only people the present law protects are criminals who do not want to be found. She commented on a recent case involving the Pilgrim family and how they used PFD funds. She thought victims of identity theft or mistaken identity have little resource to differentiate themselves from criminals or other individuals with the same name. (Statement on file.) 3:31:17 PM Representative Nelson wondered how to recognize legitimate businesses. A fishing permit, for example, is counted as a business license. That could be used to get information. Ms. Davey responded that in addition to having the license the person would have to have a legitimate reason for the request for information. Representative Nelson described Alaska as the only government wealthy enough to distribute money (the PFD) and so collect information on this scale and asked what other states or nations do when businesses are trying to obtain that kind of information. Ms. Davey said they use other kinds of national data bases, such as Lexis/Nexis and ChoicePoint. 3:34:05 PM Vice-Chair Stoltze hoped the public testimony will stay open. Co-Chair Meyer turned the chair over to Co-Chair Chenault. 3:35:26 PM RICHARD CRABTREE, (TESTIFIED VIA TELECONFERENCE) ATTORNEY AT LAW, ANCHORAGE voiced concerns about keeping PFD information accessible for legitimate purposes. He cited the example of the need to track down the heirs to an estate and other instances when people need due process. He observed that PFD information can be critical in these instances, especially when there are people in an area with the same names. He also supported limiting damages in breach of security cases to actual damages. 3:38:44 PM MARK LAWRENCE, (TESTIFYIED VIA TELECONFERENCE), ANCHORAGE works for one of the largest credit card processors in Alaska. He is part of a merchant advocacy program call the Merchant Bill of Rights that educates merchants on the importance of encryption and the transition and storage of credit card numbers. He addressed the issue of truncation, pointing out that it is not difficult to truncate the numbers on both receipts. 3:41:13 PM LORIE BUCKLEY, (TESTIFIED VIA TELECONFERENCE), DIRECTOR, NORTH COUNTRY PROCESS, ANCHORAGE agreed with much in the previous testimonies. She added that data such as addresses, alias names and SSNs are required to assist individuals who have been awarded a judgment or are seeking a judgment. The State gives individuals the right to sue, but in order to win they must know the name, SSN and/or date of birth. An address is required at the beginning of the process to serve an original complaint. Statistically, 25% of people who make complaints are not located and PFD data is valuable in locating individuals to serve them legal process. She would like the Committee to look at provisions allowing Alaska businesses access to Permanent Fund data. 3:47:52 PM Co-Chair Chenault stated he would not close public testimony as there may be others who will want to testify at a later time. Vice-Chair Stoltze commented on testimony regarding the Pilgrim family, stating that while there was abuse of the system there is no evidence indicating a pattern. 3:49:31 PM Representative Coghill closed his testimony by stating his intention to take suggestions and work on draft amendments. He planned to separate issues related to language from those that would require policy calls. He hoped to get the bill to conform to the best standards available to facilitate its movement through the Legislative process by the end of the session. HB 65 was heard and HELD in Committee for further consideration. ADJOURNMENT The meeting was adjourned at 3:51 PM