A Summary of CS for House Bill 65 (Jud) – A Presentation to the HCCA Alaska Local Annual Conference Joan Wilson Asst Attorney General State of Alaska

House Bill 65 An Act relating to Breaches of security involving personal information, protection of social security numbers, and disposal of records

Remember This is still a bill –In House Finance –Needs advancement from the House and consideration of Senate –Approval by Governor If unaddressed concerns of Health Care Compliance Association –Utilize legislative process

Personal Information Protection Act Article 1 – Disclosure of security breach Article 2 – Credit Report and Credit Score Security Freeze Article 3 – Protection of Social Security Number Article 4 – Disposal of Records Article 5 – Identity Theft Article 6 – Truncation of Card Number Article 7 – General Provisions

Personal Information Protection Act We won’t discuss –Article 2 -- credit reporting and credit score security freezes –Article 5 -- Identity theft

Personal Information Protection Act Article 7 – General Provisions –Definitions impacting all Articles Consumer -- individual Consumer credit reporting agency Credit report Information system – any information system, including a system consisting of digital databases and a system consisting of pieces of paper Person – includes business entities, associations, and natural persons State resident – Meets tests of AS –Physically present with the intent to remain indefinitely and make a home –After establishing residency, consistent absences with residency acceptable

Personal Information Protection Act Article 1 – Breach of Security Involving Personal Information

Personal Information Protection Act Definitions –Information Collector: person who owns or uses personal information in any form if the personal information includes information on a state resident –Information Distributor: a person who is an information collector and who owns or licenses personal information to an information recipient

Personal Information Protection Act Definitions –Information Recipient: person who is an information collector but who does not own or have the right to license to another information collector the personal information received from the information distributor –Governmental Agency State or local government agency, except for the judicial branch

Personal Information Protection Act Definitions –Personal information: information in any form on an individual that is not encrypted or redacted, or is encrypted but the encryption key is accessed or acquired, and that consists of a combination of the following information

Personal Information Protection Act Definitions –Personal Information An Individual’s Name, address, or telephone Number, and One or more of the following –Social security number –Driver’s license number –State ID number –Account number or –Passwords or access codes

Personal Information Protection Act Definitions –Breach of Security An unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the information collector –Acquisition includes acquisition by photocopying, facsimile or other paper-based method a device, including a computer, that can read, write, or store information that is represented in numerical form, or Any other method

Personal Information Protection Act Not a breach –The good faith acquisition of personal information by an employee or agent of an information collector for a legitimate purpose of the information collector is not a breach if the employee or agent does not use the information for an illegitimate purpose and does not make an unauthorized disclosure of the information Does not define “unauthorized disclosure” -- by law or individual

Personal Information Protection Act Rule on disclosure –If a person owns or uses personal information that includes personal information on a state resident and a breach of security of an information system occurs, the person shall, disclose the breach to each state resident whose personal information was subject to the breach

Personal Information Protection Act Rule on Disclosure –An information collector will disclose the breach in the most expeditious time possible and without unreasonable delay except As permitted under AS and As necessary to determine the scope of the breach and restore the integrity of the information system –AS – allowable delay Law enforcement agency determines disclosure interferes with ongoing investigation –Disclose as expeditiously as possible after receipt of written notice from agency that disclosure no longer interferes

Personal Information Protection Act Methods of Notice –Written document sent to most recent address the information collector has –Electronic means in compliance with 15 U.S.C (Electronic Signatures in Global and International Commerce Act) –Cost Effective Means (if qualify) Electronic mail Conspicuous posting on collector’s website and Notice to major statewide media

Personal Information Protection Act Methods of Notice –Qualification for Cost Effective Means Demonstrate notice by first methods would exceed $150,000 or Demonstrate affected class of state residents exceeds 300,000 or Demonstrate that the information collector does not have sufficient contact information to provide notice

Personal Information Protection Act Notification to consumer credit reporting agencies –If notification required to 1,000 or more state residents, the information collector shall also notify consumer credit reporting agencies of the breach This section may not be construed to require the collector to identify the names of individuals subject to the breach This section does not apply to an information collector subject to the Gramm-Leach-Bliley Financial Modernization Act (15 U.S.C )

Personal Information Protection Act No waiver of notification permitted Treatment of certain breaches –If there is a breach of an information recipient’s information system, the recipient need not give notice to the state residents, but must notify the information distributor The information distributor must give notice as if the breach occurred to the distributor’s information system

Personal Information Protection Act Penalties –If an information collector is a government agency Liable to the state up to $500 for each resident who is not notified up to $50,000 Enjoined from further violations Department of Administration enforces Apply APA and Office of Admin Hearings Procedures –If an information collector is not a government agency Violation is an unfair or deceptive act or practice under AS –Private and class actions –Three times actual damages or $500 whichever is greater Not liable for penalty under AS Is liable to state for a penalty up to $500 for each resident who is not notified up to $50,000

Personal Information Protection Act Article 2 – Credit Report and Credit Score Security Freeze –Not discussing –Review if you think it impacts your association or organization

Personal Information Protection Act Article 3 – Protection of Social Security Number

Personal Information Protection Act Use of Social Security Number –General Rule -- A person may not Intentionally communicate or otherwise make available to the general public an individual’s social security number Print an individual’s social security number on a card required to access products or services Require an individual to transmit the individual’s SSN over the internet unless the connection is secure or the ssn is encrypted

Personal Information Protection Act Use of Social Security Number –General Rule -- A person may not Require an individual to use his or her SSN to access an internet site unless a password, a unique number, or another authentication device is also required Print an SSN number on material mailed to the individual unless –Local, state, or federal law expressly authorizes the placement or –The number is included on an application or form to establish, amend, or terminate an account, contract, or policy, or to confirm the accuracy of the SSN, so long as the SSN is not printed on a postcard or in a manner that does not require opening of an envelope to view it.

Personal Information Protection Act Request and collection of SSN –General Rule: A person who does business in the state, including the business of government, may not request or collect an individual’s SSN.

Personal Information Protection Act Request and collection of SSN –Exceptions Expressly authorized by local, state, or federal law Government agency and the request or collection is authorized by law or the request or collection is required for the performance of the government’s duties To a financial institution subject to the Gramm- Leach-Bliley Financial Modernization Act

Personal Information Protection Act Request and collection of SSN –Exceptions To or from a consumer reporting agency For background check, law enforcement purposes, individual’s employment purpose Incidental to a larger transaction and necessary to verify the identity of the individual –The disclosure cannot have an independent economic value

Personal Information Protection Act No sale, lease, loan, trade or rent of an SSN unless authorized by law No disclosure of SSN to a 3 rd party, unless –Authorized by law –Government and authorized or required for performance of duties –Financial institution subject to Gramm-Leach-Bliley –Consumer reporting agency –Background check

Personal Information Protection Act Interagency disclosure between government agencies permissible if required to carry out other agency’s duties or responsibilities Employment purpose disclosure –A person may disclose the SSN to an employee or agent, including an independent contractor, of a person for a legitimate business purpose –For claim, benefit, or employment processing purpose

Personal Information Protection Act Authorized by law –Includes agency adopting regulations to identify when it may print an SSN on material, demand proof of SSN, ask an individual to provide SSN, disclose to a 3 rd party, or sell, lease, loan, trade, or rent and SSN to a 3 rd party Immediate effective date

Personal Information Protection Act Penalties –Knowing violation – civil penalty not to exceed $3,000 –Private cause of action Actual damages Court costs Reasonable attorney fees –Knowingly Aware that the conduct exists is of the nature or that the circumstance exists (See AS )

Personal Information Protection Act Article 4 – Disposal of Records

Personal Information Protection Act Article 4 -- Disposal of Records –Definitions Business – a person who conducts business in the state or a person who conducts business and maintains or otherwise possesses personal information on state residents –Conducts business defined inclusively (financial institutions and those that hold a license or authorization certification from the state)

Personal Information Protection Act Definitions –Governmental Agency State or local government agency, except for the judicial branch –Dispose Discard or abandon records Sale, donate, discard, or transfer devices

Personal Information Protection Act Definitions –Personal information Passport number, driver’s license number, state ID, bank account, credit, debit, or other payment card number, financial account information, information from a financial application – or A combination of an individual’s name, address, or telephone number and medical information, insurance policy number, employment information, or employment history

Personal Information Protection Act Definitions –Records – material on which information is written, drawn, spoken, visual, or electromagnetic is recorded or preserved Does not include publicly available information containing names, addresses, telephone numbers, or other information an individual has voluntarily consented to have public disseminated or listed –E.G. – phone books, MySpace pages?

Personal Information Protection Act Article 4 – Disposal of Records –Rule: When disposing of records that contain personal information, a business and a governmental agency shall take reasonable measures to protect against unauthorized access to or use of records If hire a third party engaged in business of record destruction (following due diligence standard), not liable after relinquish records Also not liable once release records to the individual whom the record pertains

Personal Information Protection Act Exception -- A business or governmental agency is not required to comply with Article 4 if Federal law requires the agency to act in a way that does not comply with Article 4 The business is subject to the Gramm-Leach-Bliley Financial Modernization Act The manner of disposal of records is subject to the Fair Credit Reporting Act and in compliance with 15 U.S.C. 1861w No apparent HIPAA exception –Also likely not inconsistent

Personal Information Protection Act Measures to protect access include –(Requirement) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of paper documents Destruction or erasure of electronic media and other non-paper media After due diligence, entering into a written contract with a third party in the business of record construction

Personal Information Protection Act Due diligence in selecting third party –Reviewing an independent audit of 3 rd party’s operations –Check with several references and requiring certification by a trade organization with high standards of review or –Reviewing and evaluating the 3 rd party’s information security policy and procedures or taking other measures to determine competency and integrity

Personal Information Protection Act Penalties –Knowing violation – civil penalty to the state not to exceed $3,000 –Private cause of action to enjoin action Actual damages Court costs Attorney fees –Same knowingly definition as above

Personal Information Protection Act Article 5 – Factual Declaration of Innocence after Identity Theft, Right to File Police Report Regarding Identity Theft

Personal Information Protection Act A victim of identity theft, the State, or the court may petition for declaration of innocence if –Perpetrator arrested, cited, or convicted –Criminal complaint filed against perpetrator, and –Victim’s identity mistakenly associated with record of conviction for a crime Reasonable doubt standard

Personal Information Protection Act Also right to file police report regarding identity theft

Personal Information Protection Act Article 6 – Truncation of Card Information

Personal Information Protection Act Truncation of Card Information –Rule: A person who accepts credit or debit cards for the transaction of business may not print more than the last four digits of the expiration date on the receipt or physical record of the transaction Applies only to electronically printed (not hand written or imprint) receipts No longer sell a device in the state after Jan 1, 2009 that electronically prints more than last 4 digits

Personal Information Protection Act Penalties –Knowing violation -- Liable to the State for a civil penalty not to exceed $3,000 –Private cause of action Actual damages of $5,000 – whichever is greater Court costs Attorney fees –Same knowingly standard as above

Personal Information Protection Act Questions?

Personal Information Protection Act