A Summary of CS for House Bill 65 (Jud) – A Presentation to the HCCA Alaska Local Annual Conference Joan Wilson Asst Attorney General State of Alaska [email protected].

A Summary of CS for House A Summary of CS for House Bill 65 (Jud) – A Presentation Bill 65 (Jud) – A Presentation

to the HCCA Alaska Local to the HCCA Alaska Local Annual ConferenceAnnual Conference

Joan WilsonJoan WilsonAsst Attorney GeneralAsst Attorney GeneralState of AlaskaState of [email protected]@alaska.gov

House Bill 65House Bill 65

An Act relating to Breaches of security An Act relating to Breaches of security involving personal information, involving personal information,

protection of social security numbers, protection of social security numbers, and disposal of recordsand disposal of records

RememberRemember

• This is still a bill– In House Finance– Needs advancement from the House and

consideration of Senate– Approval by Governor

• If unaddressed concerns of Health Care Compliance Association– Utilize legislative process

Personal Information Protection ActPersonal Information Protection Act

• Article 1 – Disclosure of security breach• Article 2 – Credit Report and Credit Score

Security Freeze• Article 3 – Protection of Social Security Number• Article 4 – Disposal of Records• Article 5 – Identity Theft• Article 6 – Truncation of Card Number• Article 7 – General Provisions


• We won’t discuss– Article 2 -- credit reporting and credit score

security freezes

– Article 5 -- Identity theft


• Article 7 – General Provisions– Definitions impacting all Articles

• Consumer -- individual• Consumer credit reporting agency• Credit report• Information system – any information system, including a system

consisting of digital databases and a system consisting of pieces of paper

• Person – includes business entities, associations, and natural persons

• State resident – Meets tests of AS 01.10.055– Physically present with the intent to remain indefinitely and make a

home– After establishing residency, consistent absences with residency

acceptable

Personal Information Protection Act Personal Information Protection Act

• Article 1 – Breach of Security Involving Personal Information


• Definitions– Information Collector: person who owns or

uses personal information in any form if the personal information includes information on a state resident

– Information Distributor: a person who is an information collector and who owns or licenses personal information to an information recipient


• Definitions– Information Recipient: person who is an

information collector but who does not own or have the right to license to another information collector the personal information received from the information distributor

– Governmental Agency• State or local government agency, except for the

judicial branch


• Definitions– Personal information: information in any form

on an individual that is not encrypted or redacted, or is encrypted but the encryption key is accessed or acquired, and that consists of a combination of the following information

Personal Information Protection Act Personal Information Protection Act

• Definitions– Personal Information

• An Individual’s Name, address, or telephone Number, and

• One or more of the following– Social security number– Driver’s license number – State ID number– Account number or– Passwords or access codes


• Definitions– Breach of Security

• An unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the information collector

– Acquisition includes acquisition by

• photocopying, facsimile or other paper-based method

• a device, including a computer, that can read, write, or store information that is represented in numerical form, or

• Any other method


• Not a breach– The good faith acquisition of personal

information by an employee or agent of an information collector for a legitimate purpose of the information collector is not a breach if the employee or agent does not use the information for an illegitimate purpose and does not make an unauthorized disclosure of the information

• Does not define “unauthorized disclosure” -- by law or individual


• Rule on disclosure– If a person owns or uses personal information

that includes personal information on a state resident and a breach of security of an information system occurs, the person shall, disclose the breach to each state resident whose personal information was subject to the breach


• Rule on Disclosure– An information collector will disclose the breach in the

most expeditious time possible and without unreasonable delay except

• As permitted under AS 45.48.020 and• As necessary to determine the scope of the breach and

restore the integrity of the information system

– AS 45.48.020 – allowable delay• Law enforcement agency determines disclosure interferes

with ongoing investigation– Disclose as expeditiously as possible after receipt of written

notice from agency that disclosure no longer interferes


• Methods of Notice – Written document sent to most recent address

the information collector has– Electronic means in compliance with 15

U.S.C. 7001 (Electronic Signatures in Global and International Commerce Act)

– Cost Effective Means (if qualify)• Electronic mail• Conspicuous posting on collector’s website and• Notice to major statewide media


• Methods of Notice– Qualification for Cost Effective Means

• Demonstrate notice by first methods would exceed $150,000 or

• Demonstrate affected class of state residents exceeds 300,000 or

• Demonstrate that the information collector does not have sufficient contact information to provide notice


• Notification to consumer credit reporting agencies– If notification required to 1,000 or more state

residents, the information collector shall also notify consumer credit reporting agencies of the breach

• This section may not be construed to require the collector to identify the names of individuals subject to the breach

• This section does not apply to an information collector subject to the Gramm-Leach-Bliley Financial Modernization Act (15 U.S.C. 6801-6827)


• No waiver of notification permitted• Treatment of certain breaches

– If there is a breach of an information recipient’s information system, the recipient need not give notice to the state residents, but must notify the information distributor

• The information distributor must give notice as if the breach occurred to the distributor’s information system


• Penalties– If an information collector is a government agency

• Liable to the state up to $500 for each resident who is not notified up to $50,000

• Enjoined from further violations• Department of Administration enforces• Apply APA and Office of Admin Hearings Procedures

– If an information collector is not a government agency• Violation is an unfair or deceptive act or practice under AS 45.50.471 - 45.50.561

– Private and class actions– Three times actual damages or $500 whichever is greater

• Not liable for penalty under AS 45.50.551• Is liable to state for a penalty up to $500 for each resident who is not

notified up to $50,000


• Article 2 – Credit Report and Credit Score Security Freeze– Not discussing– Review if you think it impacts your association

or organization


• Article 3 – Protection of Social Security Number


• Use of Social Security Number– General Rule -- A person may not

• Intentionally communicate or otherwise make available to the general public an individual’s social security number

• Print an individual’s social security number on a card required to access products or services

• Require an individual to transmit the individual’s SSN over the internet unless the connection is secure or the ssn is encrypted


• Use of Social Security Number– General Rule -- A person may not

• Require an individual to use his or her SSN to access an internet site unless a password, a unique number, or another authentication device is also required

• Print an SSN number on material mailed to the individual unless

– Local, state, or federal law expressly authorizes the placement or

– The number is included on an application or form to establish, amend, or terminate an account, contract, or policy, or to confirm the accuracy of the SSN, so long as the SSN is not printed on a postcard or in a manner that does not require opening of an envelope to view it.


• Request and collection of SSN– General Rule: A person who does business

in the state, including the business of government, may not request or collect an individual’s SSN.


• Request and collection of SSN– Exceptions

• Expressly authorized by local, state, or federal law• Government agency and the request or collection

is authorized by law or the request or collection is required for the performance of the government’s duties

• To a financial institution subject to the Gramm-Leach-Bliley Financial Modernization Act


• Request and collection of SSN– Exceptions

• To or from a consumer reporting agency• For background check, law enforcement purposes,

individual’s employment purpose• Incidental to a larger transaction and necessary to

verify the identity of the individual– The disclosure cannot have an independent economic

value


• No sale, lease, loan, trade or rent of an SSN unless authorized by law

• No disclosure of SSN to a 3rd party, unless– Authorized by law– Government and authorized or required for

performance of duties– Financial institution subject to Gramm-Leach-Bliley– Consumer reporting agency – Background check


• Interagency disclosure between government agencies permissible if required to carry out other agency’s duties or responsibilities

• Employment purpose disclosure– A person may disclose the SSN to an employee or

agent, including an independent contractor, of a person for a legitimate business purpose

– For claim, benefit, or employment processing purpose


• Authorized by law– Includes agency adopting regulations to

identify when it may print an SSN on material, demand proof of SSN, ask an individual to provide SSN, disclose to a 3rd party, or sell, lease, loan, trade, or rent and SSN to a 3rd party

• Immediate effective date


• Penalties– Knowing violation – civil penalty not to exceed

$3,000– Private cause of action

• Actual damages• Court costs• Reasonable attorney fees

– Knowingly• Aware that the conduct exists is of the nature or

that the circumstance exists (See AS 11.81.900)


• Article 4 – Disposal of Records


• Article 4 -- Disposal of Records– Definitions

• Business – a person who conducts business in the state or a person who conducts business and maintains or otherwise possesses personal information on state residents

– Conducts business defined inclusively (financial institutions and those that hold a license or authorization certification from the state)


• Definitions– Governmental Agency

• State or local government agency, except for the judicial branch

– Dispose • Discard or abandon records• Sale, donate, discard, or transfer devices


• Definitions– Personal information

• Passport number, driver’s license number, state ID, bank account, credit, debit, or other payment card number, financial account information, information from a financial application – or

• A combination of an individual’s name, address, or telephone number and medical information, insurance policy number, employment information, or employment history


• Definitions– Records – material on which information is

written, drawn, spoken, visual, or electromagnetic is recorded or preserved

• Does not include publicly available information containing names, addresses, telephone numbers, or other information an individual has voluntarily consented to have public disseminated or listed

– E.G. – phone books, MySpace pages?


• Article 4 – Disposal of Records– Rule: When disposing of records that contain

personal information, a business and a governmental agency shall take reasonable measures to protect against unauthorized access to or use of records

• If hire a third party engaged in business of record destruction (following due diligence standard), not liable after relinquish records

• Also not liable once release records to the individual whom the record pertains


• Exception -- A business or governmental agency is not required to comply with Article 4 if

• Federal law requires the agency to act in a way that does not comply with Article 4

• The business is subject to the Gramm-Leach-Bliley Financial Modernization Act

• The manner of disposal of records is subject to the Fair Credit Reporting Act and in compliance with 15 U.S.C. 1861w

• No apparent HIPAA exception– Also likely not inconsistent


• Measures to protect access include– (Requirement) Implementing and monitoring

compliance with policies and procedures that require

• the burning, pulverizing, or shredding of paper documents

• Destruction or erasure of electronic media and other non-paper media

• After due diligence, entering into a written contract with a third party in the business of record construction


• Due diligence in selecting third party– Reviewing an independent audit of 3rd party’s

operations– Check with several references and requiring

certification by a trade organization with high standards of review or

– Reviewing and evaluating the 3rd party’s information security policy and procedures or taking other measures to determine competency and integrity


• Penalties– Knowing violation – civil penalty to the state

not to exceed $3,000– Private cause of action to enjoin action

• Actual damages• Court costs• Attorney fees

– Same knowingly definition as above


• Article 5 – Factual Declaration of Innocence after Identity Theft, Right to File Police Report Regarding Identity Theft


• A victim of identity theft, the State, or the court may petition for declaration of innocence if– Perpetrator arrested, cited, or convicted– Criminal complaint filed against perpetrator,

and– Victim’s identity mistakenly associated with

record of conviction for a crime• Reasonable doubt standard


• Also right to file police report regarding identity theft


• Article 6 – Truncation of Card Information


• Truncation of Card Information– Rule: A person who accepts credit or debit

cards for the transaction of business may not print more than the last four digits of the expiration date on the receipt or physical record of the transaction

• Applies only to electronically printed (not hand written or imprint) receipts

• No longer sell a device in the state after Jan 1, 2009 that electronically prints more than last 4 digits


• Penalties– Knowing violation -- Liable to the State for a

civil penalty not to exceed $3,000– Private cause of action

• Actual damages of $5,000 – whichever is greater• Court costs• Attorney fees

– Same knowingly standard as above


• Questions?


A Summary of CS for House Bill 65 (Jud) – A Presentation to the HCCA Alaska Local Annual Conference Joan Wilson Asst Attorney General State of Alaska [email protected].

Documents

personal information

licenses personal information

information recipient

following information

breaches of security

identity theft slide

disposal of records

identity theft article