This page is no longer used please use www.akleg.gov
25th Legislature(2007-2008)

Bill Text 25th Legislature


00 Enrolled HB 65                                                                                                          
01 Relating to breaches of security involving personal information, credit report and credit score                         
02 security freezes, protection of social security numbers, care of records, disposal of records,                          
03 identity theft, credit cards, and debit cards, disclosure of the names and addresses of                                 
04 permanent fund dividend applicants, and to the jurisdiction of the office of administrative                             
05 hearings; amending Rules 60 and 82, Alaska Rules of Civil Procedure; and providing for an                               
06 effective date.                                                                                                         
07                           _______________                                                                               
08    * Section 1. AS 40.21.110 is amended to read:                                                                      
09            Sec. 40.21.110. Care of records. Except for public records lawfully in the                                 
10       possession of a person other than the state, public records of existing or defunct                                
11       agencies of the state, territorial, and Russian governments in Alaska are the property                            
12       of the state and shall be created, maintained, preserved, stored, transferred, destroyed                          
13       or disposed of, and otherwise managed in accordance with the provisions of this                                   
14       chapter and AS 45.48.500 - 45.48.530. Records shall be delivered by outgoing                                  
01       officials and employees to their successors, and may not be removed, destroyed, or                            
02       disposed of, except as provided in this chapter and AS 45.48.500 - 45.48.530.                                 
03    * Sec. 2. AS 43.23.017 is amended by adding a new subsection to read:                                              
04            (b)  Notwithstanding (a) of this section, the department may release the names                               
05       and addresses of permanent fund dividend applicants to a legislator of this state and to                          
06       the legislator's office staff for official legislative purposes.                                                  
07    * Sec. 3. AS 44.64.030(a) is amended by adding a new paragraph to read:                                            
08                 (40)  AS 45.48.080(c) (breach of security involving personal                                            
09       information).                                                                                                     
10    * Sec. 4. AS 45 is amended by adding a new chapter to read:                                                        
11                Chapter 48. Personal Information Protection Act.                                                       
12            Article 1. Breach of Security Involving Personal Information.                                              
13            Sec. 45.48.010. Disclosure of breach of security. (a) If a covered person owns                             
14       or licenses personal information in any form that includes personal information on a                              
15       state resident, and a breach of the security of the information system that contains                              
16       personal information occurs, the covered person shall, after discovering or being                                 
17       notified of the breach, disclose the breach to each state resident whose personal                                 
18       information was subject to the breach.                                                                            
19            (b)  An information collector shall make the disclosure required by (a) of this                              
20       section in the most expeditious time possible and without unreasonable delay, except                              
21       as provided in AS 45.48.020 and as necessary to determine the scope of the breach and                             
22       restore the reasonable integrity of the information system.                                                       
23            (c)  Notwithstanding (a) of this section, disclosure is not required if, after an                            
24       appropriate investigation and after written notification to the attorney general of this                          
25       state, the covered person determines that there is not a reasonable likelihood that harm                          
26       to the consumers whose personal information has been acquired has resulted or will                                
27       result from the breach. The determination shall be documented in writing, and the                                 
28       documentation shall be maintained for five years.  The notification required by this                              
29       subsection may not be considered a public record open to inspection by the public.                                
30            Sec. 45.48.020. Allowable delay in notification. An information collector                                  
31       may delay disclosing the breach under AS 45.48.010 if an appropriate law                                          
01       enforcement agency determines that disclosing the breach will interfere with a                                    
02       criminal investigation. However, the information collector shall disclose the breach to                           
03       the state resident in the most expeditious time possible and without unreasonable delay                           
04       after the law enforcement agency informs the information collector in writing that                                
05       disclosure of the breach will no longer interfere with the investigation.                                         
06            Sec. 45.48.030. Methods of notice. An information collector shall make the                                 
07       disclosure required by AS 45.48.010                                                                               
08                 (1)  by a written document sent to the most recent address the                                          
09       information collector has for the state resident;                                                                 
10                 (2)  by electronic means if the information collector's primary method                                  
11       of communication with the state resident is by electronic means or if making the                                  
12       disclosure by the electronic means is consistent with the provisions regarding                                    
13       electronic records and signatures required for notices legally required to be in writing                          
14       under 15 U.S.C. 7001 et seq. (Electronic Signatures in Global and National Commerce                               
15       Act); or                                                                                                          
16                 (3)  if the information collector demonstrates that the cost of providing                               
17       notice would exceed $150,000, that the affected class of state residents to be notified                           
18       exceeds 300,000, or that the information collector does not have sufficient contact                               
19       information to provide notice, by                                                                                 
20                      (A)  electronic mail if the information collector has an                                           
21            electronic mail address for the state resident;                                                              
22                      (B)  conspicuously posting the disclosure on the Internet                                          
23            website of the information collector if the information collector maintains an                               
24            Internet website; and                                                                                        
25                      (C)  providing a notice to major statewide media.                                                  
26            Sec. 45.48.040. Notification of certain other agencies. (a) If an information                              
27       collector is required by AS 45.48.010 to notify more than 1,000 state residents of a                              
28       breach, the information collector shall also notify without unreasonable delay all                                
29       consumer credit reporting agencies that compile and maintain files on consumers on a                              
30       nationwide basis and provide the agencies with the timing, distribution, and content of                           
31       the notices to state residents.                                                                                   
01            (b)  This section may not be construed to require the information collector to                               
02       provide the consumer reporting agencies identified under (a) of this section with the                             
03       names or other personal information of the state residents whose personal information                             
04       was subject to the breach.                                                                                        
05            (c)  This section does not apply to an information collector who is subject to                               
06       the Gramm-Leach-Bliley Financial Modernization Act.                                                               
07            (d)  In this section, "consumer credit reporting agency that compiles and                                    
08       maintains files on consumers on a nationwide basis" has the meaning given to                                      
09       "consumer reporting agency that compiles and maintains files on consumers on a                                    
10       nationwide basis" in 15 U.S.C. 1681a(p).                                                                          
11            Sec. 45.48.050. Exception for employees and agents. In AS 45.48.010 -                                      
12       45.48.090, the good faith acquisition of personal information by an employee or agent                             
13       of an information collector for a legitimate purpose of the information collector is not                          
14       a breach of the security of the information system if the employee or agent does not                              
15       use the personal information for a purpose unrelated to a legitimate purpose of the                               
16       information collector and does not make further unauthorized disclosure of the                                    
17       personal information.                                                                                             
18            Sec. 45.48.060. Waivers. A waiver of AS 45.48.010 - 45.48.090 is void and                                  
19       unenforceable.                                                                                                    
20            Sec. 45.48.070. Treatment of certain breaches. (a) If a breach of the security                             
21       of the information system containing personal information on a state resident that is                             
22       maintained by an information recipient occurs, the information recipient is not                                   
23       required to comply with AS 45.48.010 - 45.48.030. However, immediately after the                                  
24       information recipient discovers the breach, the information recipient shall notify the                            
25       information distributor who owns the personal information or who licensed the use of                              
26       the personal information to the information recipient about the breach and cooperate                              
27       with the information distributor as necessary to allow the information distributor to                             
28       comply with (b) of this section. In this subsection, "cooperate" means sharing with the                           
29       information distributor information relevant to the breach, except for confidential                               
30       business information or trade secrets.                                                                            
31            (b)  If an information recipient notifies an information distributor of a breach                             
01       under (a) of this section, the information distributor shall comply with AS 45.48.010 -                           
02       45.48.030 as if the breach occurred to the information system maintained by the                                   
03       information distributor.                                                                                          
04            Sec. 45.48.080. Violations. (a) If an information collector who is a                                       
05       governmental agency violates AS 45.48.010 - 45.48.090 with regard to the personal                                 
06       information of a state resident, the information collector                                                        
07                 (1)  is liable to the state for a civil penalty of up to $500 for each state                            
08       resident who was not notified under AS 45.48.010 - 45.48.090, but the total civil                                 
09       penalty may not exceed $50,000; and                                                                               
10                 (2)  may be enjoined from further violations.                                                           
11            (b)  If an information collector who is not a governmental agency violates                                   
12       AS 45.48.010 - 45.48.090 with regard to the personal information of a state resident,                             
13       the violation is an unfair or deceptive act or practice under AS 45.50.471 - 45.50.561.                           
14       However,                                                                                                          
15                 (1)  the information collector is not subject to the civil penalties                                    
16       imposed under AS 45.50.551 but is liable to the state for a civil penalty of up to $500                           
17       for each state resident who was not notified under AS 45.48.010 - 45.48.090, except                               
18       that the total civil penalty may not exceed $50,000; and                                                          
19                 (2)  damages that may be awarded against the information collector                                      
20       under                                                                                                             
21                      (A)  AS 45.50.531 are limited to actual economic damages that                                      
22            do not exceed $500; and                                                                                      
23                      (B)  AS 45.50.537 are limited to actual economic damages.                                          
24            (c)  The Department of Administration may enforce (a) of this section against a                              
25       governmental agency. The procedure for review of an order or action of the                                        
26       department under this subsection is the same as the procedure provided by AS 44.62                                
27       (Administrative Procedure Act), except that the office of administrative hearings                                 
28       (AS 44.64.010) shall conduct the hearings in contested cases and the decision may be                              
29       appealed under AS 44.64.030(c).                                                                                   
30            Sec. 45.48.090. Definitions. In AS 45.48.010 - 45.48.090,                                                  
31                 (1)  "breach of the security" means unauthorized acquisition, or                                        
01       reasonable belief of unauthorized acquisition, of personal information that                                       
02       compromises the security, confidentiality, or integrity of the personal information                               
03       maintained by the information collector; in this paragraph, "acquisition" includes                                
04       acquisition by                                                                                                    
05                      (A)  photocopying, facsimile, or other paper-based method;                                         
06                      (B)  a device, including a computer, that can read, write, or                                      
07            store information that is represented in numerical form; or                                                  
08                      (C)  a method not identified by (A) or (B) of this paragraph;                                      
09                 (2)  "covered person" means a                                                                           
10                      (A)  person doing business;                                                                        
11                      (B)  governmental agency; or                                                                       
12                      (C)  person with more than 10 employees;                                                           
13                 (3)  "governmental agency" means a state or local governmental                                          
14       agency, except for an agency of the judicial branch;                                                              
15                 (4)  "information collector" means a covered person who owns or                                         
16       licenses personal information in any form if the personal information includes                                    
17       personal information on a state resident;                                                                         
18                 (5)  "information distributor" means a person who is an information                                     
19       collector and who owns or licenses personal information to an information recipient;                              
20                 (6)  "information recipient" means a person who is an information                                       
21       collector but who does not own or have the right to license to another information                                
22       collector the personal information received by the person from an information                                     
23       distributor;                                                                                                      
24                 (7)  "personal information" means information in any form on an                                         
25       individual that is not encrypted or redacted, or is encrypted and the encryption key has                          
26       been accessed or acquired, and that consists of a combination of                                                  
27                      (A)  an individual's name; in this subparagraph, "individual's                                     
28            name" means a combination of an individual's                                                                 
29                           (i)  first name or first initial; and                                                         
30                           (ii)  last name; and                                                                          
31                      (B)  one or more of the following information elements:                                            
01                           (i)  the individual's social security number;                                                 
02                           (ii)  the individual's driver's license number or state                                       
03                 identification card number;                                                                             
04                           (iii)  except as provided in (iv) of this subparagraph, the                                   
05                 individual's account number, credit card number, or debit card number;                                  
06                           (iv)  if an account can only be accessed with a personal                                      
07                 code, the number in (iii) of this subparagraph and the personal code; in                                
08                 this sub-subparagraph, "personal code" means a security code, an                                        
09                 access code, a personal identification number, or a password;                                           
10                           (v)  passwords, personal identification numbers, or other                                     
11                 access codes for financial accounts.                                                                    
12             Article 2. Credit Report and Credit Score Security Freeze.                                                
13            Sec. 45.48.100. Security freeze authorized. A consumer may prohibit a                                      
14       consumer credit reporting agency from releasing the consumer's credit report or credit                            
15       score without the express authorization of the consumer by placing a security freeze                              
16       on the consumer's credit report.                                                                                  
17            Sec. 45.48.110. Placement of security freeze. (a) To place a security freeze, a                            
18       consumer shall make the request to the consumer credit reporting agency                                           
19                 (1)  by mail to the address designated by the consumer credit reporting                                 
20       agency to receive security freeze requests; or                                                                    
21                 (2)  as allowed by (b) of this section.                                                                 
22            (b)  A consumer may make a request under (a) of this section by telephone or                                 
23       by facsimile, the Internet, or other electronic media if the consumer credit reporting                            
24       agency has developed procedures for using the telephone or an electronic medium to                                
25       receive and process the request in an expedited manner.                                                           
26            (c)  A consumer credit reporting agency shall place a security freeze within                                 
27       five business days after receiving a request under (a) or (b) of this section and proper                          
28       identification from the consumer.                                                                                 
29            Sec. 45.48.120. Confirmation of security freeze. (a) Within 10 business days                               
30       after a consumer makes the request under AS 45.48.110, a consumer credit reporting                                
31       agency shall send a written confirmation of the placement of the security freeze to the                           
01       consumer. The confirmation must also inform the consumer that the consumer credit                                 
02       reporting agency may charge, as allowed by AS 45.48.160, a fee for third-party access                             
03       during the security freeze.                                                                                       
04            (b)  At the same time that the consumer credit reporting agency sends a                                      
05       confirmation under (a) of this section, the consumer credit reporting agency shall                                
06       provide the consumer with a unique personal identification number, password, or                                   
07       similar device to be used by the consumer when the consumer authorizes the release of                             
08       the consumer's credit report or credit score under AS 45.48.130.                                                  
09            Sec. 45.48.130. Access and actions during security freeze. (a) While a                                     
10       security freeze is in place, a consumer credit reporting agency shall allow a third party                         
11       access to a consumer's credit report or credit score if the consumer requests that the                            
12       consumer credit reporting agency allow the access.                                                                
13            (b)  To make a request under (a) of this section, the consumer shall contact the                             
14       consumer credit reporting agency by mail at the address designated by the consumer                                
15       credit reporting agency to receive security freeze requests or as allowed by (c) of this                          
16       section, authorize the consumer credit reporting agency to allow the access, and                                  
17       provide the consumer credit reporting agency with                                                                 
18                 (1)  proper identification to verify the consumer's identity;                                           
19                 (2)  the unique personal identification number, password, or similar                                    
20       device provided under AS 45.48.120(b); and                                                                        
21                 (3)  the proper information necessary to identify the third party to                                    
22       whom the consumer credit reporting agency may allow the access or the time period                                 
23       during which the consumer credit reporting agency may allow the access to third                                   
24       parties who request the access.                                                                                   
25            (c)  In addition to making the request by mail, a consumer may make a request                                
26       under (a) of this section by telephone or by facsimile, the Internet, or other electronic                         
27       media if the consumer credit reporting agency has developed procedures for using the                              
28       telephone or an electronic medium to receive and process the request in an expedited                              
29       manner.                                                                                                           
30            (d)  Except as provided by (e) of this section, a consumer credit reporting                                  
31       agency that receives a request from a consumer under (b) or (c) of this section shall                             
01       comply with the request within 15 minutes after receiving the request by telephone or                             
02       by an electronic medium or within three business days after receiving the request by                              
03       mail.                                                                                                             
04            (e)  A consumer credit reporting agency is not required to comply with a                                     
05       request under (a) of this section within the 15 minutes required by (d) of this section if                        
06                 (1)  the consumer fails to satisfy the requirements of (b) of this section;                             
07                 (2)  one of the following events prevents the consumer credit reporting                                 
08       agency from removing the security freeze within 15 minutes:                                                       
09                      (A)  an act of God, including a fire, earthquake, hurricane,                                       
10            storm, or similar natural disaster or phenomenon;                                                            
11                      (B)  an unauthorized or illegal act by another person, including                                   
12            terrorism, sabotage, riot, vandalism, labor strike, labor dispute disrupting                                 
13            operations, or similar occurrence;                                                                           
14                      (C)  an operational interruption, including an electrical failure,                                 
15            unanticipated delay in equipment or replacement part delivery, computer                                      
16            hardware or software failure inhibiting response time, or similar disruption;                                
17                      (D)  governmental action, including an emergency order or                                          
18            regulation, a judicial law enforcement action, or a similar directive;                                       
19                      (E)  regularly scheduled maintenance during other than normal                                      
20            business hours of the consumer credit reporting agency's systems, or updates to                              
21            the consumer credit reporting agency's systems;                                                              
22                      (F)  commercially reasonable maintenance of, or repair to, the                                     
23            consumer credit reporting agency's systems that is unexpected or unscheduled;                                
24            or                                                                                                           
25                 (3)  the request is received outside of normal business hours.                                          
26            (f)  If a security freeze is in place, a consumer credit reporting agency may not                            
27       release the credit report or credit score to a third party without the prior express                              
28       authorization of the consumer.                                                                                    
29            (g)  If a security freeze is in place on a consumer's credit report and credit                               
30       score and if a third party applies to a consumer credit reporting agency to provide the                           
31       third party with access to the consumer's credit report or credit score, the consumer                             
01       credit reporting agency and the third party may treat the third party's application as                            
02       incomplete unless the consumer authorizes the access under (a) of this section.                                   
03            (h)  If a security freeze is in place, a consumer credit reporting agency may not                            
04       change the consumer's official information in the consumer's credit report and credit                             
05       score without sending a written statement of the change to the consumer within 30                                 
06       days after the change is made. A consumer credit reporting agency is not required to                              
07       send a written statement if the consumer credit reporting agency makes a technical                                
08       change in the consumer's official information. If a consumer credit reporting agency                              
09       makes a change, other than a technical change, in a consumer's address, the consumer                              
10       credit reporting agency shall send the written statement to the consumer at both the                              
11       new address and the former address. In this subsection,                                                           
12                 (1)  "official information" means name, date of birth, social security                                  
13       number, and address;                                                                                              
14                 (2)  "technical change" means changing spelling, transposing numbers                                    
15       or letters, abbreviating a word, or spelling out an abbreviation.                                                 
16            (i)  This section is not intended to prevent a consumer credit reporting agency                              
17       from advising a third party that requests access to a consumer's credit report or credit                          
18       score that a security freeze is in effect.                                                                        
19            (j)  The procedures used by a consumer credit reporting agency for                                           
20       implementing the provisions of this section may include the use of telephone,                                     
21       facsimile, or electronic means if making the disclosure by the electronic means is                                
22       consistent with the provisions regarding electronic records and signatures required for                           
23       notices legally required to be in writing under 15 U.S.C. 7001 et seq. (Electronic                                
24       Signatures in Global and National Commerce Act).                                                                  
25            Sec. 45.48.140. Removal of security freeze. (a) Except as provided by                                      
26       AS 45.48.130, a consumer credit reporting agency may not remove a security freeze                                 
27       unless                                                                                                            
28                 (1)  the consumer requests that the consumer credit reporting agency                                    
29       remove the security freeze under (b) of this section; or                                                          
30                 (2)  the consumer made a material misrepresentation of fact to the                                      
31       consumer credit reporting agency when the consumer requested the security freeze                                  
01       under AS 45.48.110; if a consumer credit reporting agency intends to remove a                                     
02       security freeze on a consumer's credit report under this paragraph, the consumer credit                           
03       reporting agency shall notify the consumer in writing before removing the security                                
04       freeze.                                                                                                           
05            (b)  A consumer credit reporting agency shall remove a security freeze within                                
06       three business days after receiving a request for removal from the consumer who                                   
07       requested the security freeze.                                                                                    
08            (c)  To make a request under (b) of this section, the consumer shall contact the                             
09       consumer credit reporting agency by mail or as allowed by (d) of this section,                                    
10       authorize the consumer credit reporting agency to remove the security freeze, and                                 
11       provide the consumer credit reporting agency with                                                                 
12                 (1)  proper identification to verify the consumer's identity; and                                       
13                 (2)  the unique personal identification number, password, or similar                                    
14       device provided under AS 45.48.120(b).                                                                            
15            (d)  In addition to mail, a consumer may make a request under (b) of this                                    
16       section by telephone or by facsimile, the Internet, or other electronic media if the                              
17       consumer credit reporting agency has developed procedures for using the telephone or                              
18       an electronic medium to receive and process the request in an expedited manner.                                   
19            Sec. 45.48.150. Prohibition. When dealing with a third party, a consumer                                   
20       credit reporting agency may not suggest, state, or imply that a consumer's security                               
21       freeze reflects a negative credit score, history, report, or rating.                                              
22            Sec. 45.48.160. Charges. (a) Except as provided by (b), (c), or (d) of this                                
23       section, a consumer credit reporting agency may not charge a consumer to place or                                 
24       remove a security freeze, to provide access under AS 45.48.130, or to take any other                              
25       action, including the issuance of a personal identification number, password, or similar                          
26       device under AS 45.48.120, that is related to the placement of, removal of, or allowing                           
27       access to a credit report or credit score on which a security freeze has been placed.                             
28            (b)  A consumer credit reporting agency may charge a consumer $5 for placing                                 
29       a security freeze.                                                                                                
30            (c)  A consumer credit reporting agency may charge the consumer $2 for each                                  
31       access request made by the consumer. In this subsection, "access request" means a                                 
01       request made by the consumer under AS 45.48.130 to allow third-party access to the                                
02       consumer's credit report or credit score on which a security freeze has been placed.                              
03            (d)  If a consumer fails to retain a personal identification number, password, or                            
04       similar device issued under AS 45.48.120, a consumer credit reporting agency may                                  
05       charge the consumer up to $5 for each time after the first time that the consumer credit                          
06       reporting agency issues the consumer another personal identification number,                                      
07       password, or similar device because the consumer failed to retain the personal                                    
08       identification number, password, or similar device.                                                               
09            (e)  A consumer credit reporting agency may not charge a consumer a fee                                      
10       under (b) or (c) of this section if the consumer has been a victim of identity theft and                          
11       provides the consumer credit reporting agency with a complaint filed by the consumer                              
12       with a law enforcement agency.                                                                                    
13            Sec. 45.48.170. Notice of rights. When a consumer credit reporting agency is                               
14       required to give a consumer a summary of rights under 15 U.S.C. 1681g (Fair Credit                                
15       Reporting Act), a consumer credit reporting agency shall also give the consumer the                               
16       following notice:                                                                                                 
17                 Consumers Have the Right to Obtain a Security Freeze                                                  
18                 You may obtain a security freeze on your credit report and                                              
19            credit score for $5 to protect your privacy and ensure that credit is not                                    
20            granted in your name without your knowledge. You may not have to                                             
21            pay the $5 charge if you are a victim of identity theft. You have a right                                    
22            to place a security freeze on your credit report and credit score under                                      
23            state law (AS 45.48.100 - 45.48.290).                                                                      
24                 The security freeze will prohibit a consumer credit reporting                                           
25            agency from releasing your credit score and any information in your                                          
26            credit report without your express authorization or approval.                                                
27                 The security freeze is designed to prevent credit, loans, and                                           
28            other services from being approved in your name without your consent.                                        
29            However, you should be aware that using a security freeze to take                                            
30            control over who gets access to the personal and financial information                                       
31            in your credit report and credit score may delay, interfere with, or                                         
01            prohibit the timely approval of any subsequent request or application                                        
02            you make regarding a new loan, credit, a mortgage, a governmental                                            
03            service, a governmental payment, a cellular telephone, a utility, an                                         
04            Internet credit card application, an extension of credit at point of sale,                                   
05            and other items and services.                                                                                
06                 When you place a security freeze on your credit report and                                              
07            credit score, within 10 business days, you will be provided a personal                                       
08            identification number, password, or similar device to use if you choose                                      
09            to remove the freeze on your credit report and credit score or to                                            
10            temporarily authorize the release of your credit report and credit score                                     
11            to a specific third party or specific third parties or for a specific period                                 
12            of time after the freeze is in place. To provide that authorization, you                                     
13            must contact the consumer credit reporting agency and provide all of                                         
14            the following:                                                                                               
15                      (1)  proper identification to verify your identity;                                                
16                      (2)  the personal identification number, password, or                                              
17            similar device provided by the consumer credit reporting agency;                                             
18                      (3)  proper information necessary to identify the third                                            
19            party or third parties who are authorized to receive the credit report and                                   
20            credit score or the specific period of time for which the credit report                                      
21            and credit score are to be available to third parties.                                                       
22                 A consumer credit reporting agency that receives your request                                           
23            to temporarily lift a freeze on a credit report and credit score is required                                 
24            to comply with the request within 15 minutes, except after normal                                            
25            business hours and under certain other conditions, after receiving your                                      
26            request if you make the request by telephone, or an electronic method if                                     
27            the agency provides an electronic method, or within three business days                                      
28            after receiving your request if you make the request by mail. The                                            
29            consumer credit reporting agency may charge you $2 to temporarily lift                                       
30            the freeze.                                                                                                  
31                 A security freeze does not apply to circumstances where you                                             
01            have an existing account relationship and a copy of your credit report                                       
02            and credit score are requested by your existing creditor or its agents or                                    
03            affiliates for certain types of account review, collection, fraud control,                                   
04            or similar activities.                                                                                       
05                 If you are actively seeking credit, you should understand that                                          
06            the procedures involved in lifting a security freeze may slow your own                                       
07            applications for credit. You should plan ahead and lift a freeze, either                                     
08            completely if you are shopping around, or specifically for a certain                                         
09            creditor, days before applying for new credit.                                                               
10                 You have a right to bring a civil action against someone who                                            
11            violates your rights under these laws on security freezes. The action can                                    
12            be brought against a consumer credit reporting agency.                                                       
13            Sec. 45.48.180. Notification after violation. If a consumer credit reporting                               
14       agency violates a security freeze by releasing a consumer's credit report or credit                               
15       score, the consumer credit reporting agency shall notify the consumer within five                                 
16       business days after discovering or being notified of the release, and the information in                          
17       the notice must include an identification of the information released and of the third                            
18       party who received the information.                                                                               
19            Sec. 45.48.190. Resellers. A consumer credit reporting agency that acts as a                               
20       reseller of consumer information shall honor a security freeze placed on a consumer's                             
21       credit report and credit score by another consumer credit reporting agency.                                       
22            Sec. 45.48.200. Violations and penalties. (a) A consumer who suffers                                       
23       damages as a result of a person's violation of AS 45.48.100 - 45.48.290 may bring an                              
24       action in court against the person and recover, in the case of a violation where the                              
25       person acted                                                                                                      
26                 (1)  negligently, actual economic damages, court costs allowed by the                                   
27       rules of court, and full reasonable attorney fees;                                                                
28                 (2)  knowingly,                                                                                         
29                      (A)  damages as described in (1) of this subsection;                                               
30                      (B)  punitive damages that are not less than $100 nor more than                                    
31            $5,000 for each violation as the court determines to be appropriate; and                                     
01                      (C)  other relief that the court determines to be appropriate.                                     
02            (b)  A consumer may bring an action in court against a person for a violation or                             
03       threatened violation of AS 45.48.100 - 45.48.290 for injunctive relief, whether or not                            
04       the consumer seeks another remedy under this section.                                                             
05            (c)  Notwithstanding (a)(2) of this section, a person who knowingly violates                                 
06       AS 45.48.100 - 45.48.290 is liable in a class action for an amount that the court                                 
07       allows. When determining the amount of an award in a class action under this                                      
08       subsection, the court shall consider, among the relevant factors, the amount of any                               
09       actual damages awarded, the frequency of the violations, the resources of the violator,                           
10       and the number of consumers adversely affected.                                                                   
11            (d)  In this section, "knowingly" has the meaning given in AS 11.81.900.                                     
12            Sec. 45.48.210. Exemptions. (a) The provisions of AS 45.48.100 - 45.48.290                               
13       do not apply to the use of a credit report by                                                                     
14                 (1)  a person, the person's subsidiary, affiliate, or agent, or the person's                            
15       assignee with whom a consumer has or, before the assignment, had an account,                                      
16       contract, or debtor-creditor relationship if the purpose of the use is to review the                              
17       consumer's account or to collect a financial obligation owing on the account, contract,                           
18       or debt;                                                                                                          
19                 (2)  a subsidiary, an affiliate, an agent, an assignee, or a prospective                                
20       assignee of a person to whom access has been granted under AS 45.48.130 if the                                    
21       purpose of the use is to facilitate the extension of credit or another permissible use;                           
22                 (3)  a person acting under a court order, warrant, or subpoena;                                         
23                 (4)  an agency of a state or municipality that administers a program for                                
24       establishing and enforcing child support obligations;                                                             
25                 (5)  the Department of Health and Social Services, its agents, or its                                   
26       assigns when investigating fraud;                                                                                 
27                 (6)  the Department of Revenue, its agents, or its assigns when                                         
28       investigating or collecting delinquent taxes or unpaid court orders or when                                       
29       implementing its other statutory responsibilities;                                                                
30                 (7)  a person if the purpose of the use is prescreening allowed under 15                                
31       U.S.C. 1681b(c) (Fair Credit Reporting Act);                                                                      
01                 (8)  a person administering a credit file monitoring subscription service                               
02       to which the consumer has subscribed;                                                                             
03                 (9)  a person providing a consumer with a copy of the consumer's credit                                 
04       report or credit score at the consumer's request;                                                                 
05                 (10)  a person if the database or file of the consumer credit reporting                                 
06       agency consists entirely of information concerning and used solely for one or more of                             
07       the following purposes:                                                                                           
08                      (A)  criminal record information;                                                                  
09                      (B)  personal loss history information;                                                            
10                      (C)  fraud prevention or detection;                                                                
11                      (D)  tenant screening; or                                                                          
12                      (E)  employment screening; or                                                                      
13                 (11)  a person for use for insurance purposes in setting a rate, adjusting                              
14       a rate, adjusting a claim, or underwriting, except that this paragraph may not be                                 
15       interpreted to authorize an insurance practice that is prohibited by other law; this                              
16       paragraph may not be interpreted to affect AS 21.36.460 or AS 21.39.035.                                          
17            (b)  Except as provided by AS 45.48.190, the provisions of AS 45.48.100 -                                    
18       45.48.290 do not apply to a person when acting only as a reseller of consumer                                     
19       information.                                                                                                      
20            Sec. 45.48.290. Definitions. In AS 45.48.100 - 45.48.290,                                                  
21                 (1)  "account review" means activities related to account maintenance,                                  
22       account monitoring, credit line increases, and account upgrades and enhancements;                                 
23                 (2)  "consumer" means an individual who is the subject of a credit                                      
24       report or credit score;                                                                                           
25                 (3)  "consumer credit reporting agency" has the meaning given in                                        
26       AS 45.48.990, but does not include a person who issues reports                                                    
27                      (A)  on incidents of fraud or authorizations for the purpose of                                    
28            approving or processing negotiable instruments, electronic funds transfers, or                               
29            similar methods of payments; or                                                                              
30                      (B)  regarding account closures because of fraud, substantial                                      
31            overdrafts, automated teller machine abuse, or similar negative information                                  
01            regarding a consumer to inquiring banks or other financial institutions for use                              
02            only in reviewing consumer requests for deposit accounts at the inquiring                                    
03            banks or financial institutions;                                                                             
04                 (4)  "reseller of consumer information" means a person who assembles                                    
05       and merges information contained in the databases of consumer credit reporting                                    
06       agencies and does not maintain a permanent database of consumer information from                                  
07       which new consumer credit reports are produced;                                                                   
08                 (5)  "security freeze" means a prohibition against a consumer credit                                    
09       reporting agency's releasing a consumer's credit report or credit score without the                               
10       express authorization of the consumer;                                                                            
11                 (6)  "third party" means a person who is not                                                            
12                      (A)  the consumer who is the subject of the consumer's credit                                      
13            report or credit score; or                                                                                   
14                      (B)  the consumer credit reporting agency that is holding the                                      
15            consumer's credit report or credit score.                                                                    
16                 Article 3. Protection of Social Security Number.                                                      
17            Sec. 45.48.400. Use of social security number. (a) A person may not                                      
18                 (1)  intentionally communicate or otherwise make available to the                                       
19       general public an individual's social security number;                                                            
20                 (2)  print an individual's social security number on a card required for                                
21       the individual to access products or services provided by the person;                                             
22                 (3)  require an individual to transmit the individual's social security                                 
23       number over the Internet unless the Internet connection is secure or the social security                          
24       number is encrypted;                                                                                              
25                 (4)  require an individual to use the individual's social security number                               
26       to access an Internet website unless a password, a unique personal identification                                 
27       number, or another authentication device is also required to access the website; or                               
28                 (5)  print an individual's social security number on material that is                                   
29       mailed to the individual unless                                                                                   
30                      (A)  local, state, or federal law, including a regulation adopted                                  
31            under AS 45.48.470, expressly authorizes placement of the social security                                    
01            number on the material; or                                                                                   
02                      (B)  the social security number is included on an application or                                   
03            other form, including a document sent as a part of an application process or an                              
04            enrollment process, sent by mail to establish, amend, or terminate an account, a                             
05            contract, or a policy, or to confirm the accuracy of the social security number;                             
06            however, a social security number allowed to be mailed under this                                            
07            subparagraph may not be printed, in whole or in part, on a postcard or other                                 
08            mailer that does not require an envelope, or in a manner that makes the social                               
09            security number visible on the envelope or without the envelope's being                                      
10            opened.                                                                                                      
11            (b)  The prohibitions in (a) of this section do not apply if the person is                                   
12       engaging in the business of government and                                                                        
13                 (1)  is authorized by law to communicate or otherwise make available                                    
14       to the general public the individual's social security number; or                                                 
15                 (2)  the communicating or otherwise making available of the                                             
16       individual's social security number is required for the performance of the person's                               
17       duties or responsibilities as provided by law.                                                                    
18            Sec. 45.48.410. Request and collection. (a) A person who does business in the                              
19       state, including the business of government, may not request or collect from an                                   
20       individual the individual's social security number. This subsection does not prohibit a                           
21       person from asking for another form of identification from the individual.                                        
22            (b)  The prohibition in (a) of this section does not apply                                                   
23                 (1)  if the person is authorized by local, state, or federal law, including                             
24       a regulation adopted under AS 45.48.470, to demand proof of the individual's social                               
25       security number, to request or collect the individual's social security number, or to                             
26       submit the individual's social security number to the local, state, or federal                                    
27       government;                                                                                                       
28                 (2)  if the person is engaging in the business of government and                                        
29                      (A)  is authorized by law to request or collect the individual's                                   
30            social security number; or                                                                                   
31                      (B)  the request or collection of the individual's social security                                 
01            number is required for the performance of the person's duties or                                             
02            responsibilities as provided by law;                                                                         
03                 (3)  to a person subject to or a transaction regulated by the Gramm-                                    
04       Leach-Bliley Financial Modernization Act for a purpose authorized by the Gramm-                                   
05       Leach-Bliley Financial Modernization Act;                                                                         
06                 (4)  to a person subject to or a transaction regulated by the Fair Credit                               
07       Reporting Act for a purpose authorized by the Fair Credit Reporting Act;                                          
08                 (5)  if the request or collection is for a background check on the                                      
09       individual, for fraud prevention, for medical treatment, for law enforcement or other                             
10       government purposes, for the individual's employment, including employment                                        
11       benefits, or for verification of the individual's age;                                                            
12                 (6)  if the request or collection does not have independent economic                                    
13       value, is incidental to a larger transaction or a larger anticipated transaction, and is                          
14       necessary to verify the identity of the individual;                                                               
15                 (7)  to an insurer regulated by AS 21; in this paragraph, "insurer" has                                 
16       the meaning given in AS 21.90.900; or                                                                             
17                 (8)  to a hospital service corporation or a medical service corporation                                 
18       regulated under AS 21.87; in this paragraph, "hospital service corporation" and                                   
19       "medical service corporation" have the meanings given in AS 21.87.330.                                            
20            Sec. 45.48.420. Sale, lease, loan, trade, or rental. (a) A person may not sell,                            
21       lease, loan, trade, or rent an individual's social security number to a third party.                              
22            (b)  The prohibition in (a) of this section does not apply if the sale, lease, loan,                         
23       trade, or rental is                                                                                               
24                 (1)  authorized by local, state, or federal law, including a regulation                                 
25       adopted under AS 45.48.470;                                                                                       
26                 (2)  by a person subject to or for a transaction regulated by the Gramm-                                
27       Leach-Bliley Financial Modernization Act for a purpose authorized by the Gramm-                                   
28       Leach-Bliley Financial Modernization Act;                                                                         
29                 (3)  by a person subject to or for a transaction regulated by the Fair                                  
30       Credit Reporting Act for a purpose authorized by the Fair Credit Reporting Act; or                                
31                 (4)  part of a report prepared by a consumer credit reporting agency in                                 
01       response to a request by a person and the person submits the social security number as                            
02       part of the request to the consumer credit reporting agency for the preparation of the                            
03       report.                                                                                                           
04            (c)  Nothing in this section prevents a business from transferring social security                           
05       numbers to another person if the transfer is part of the sale or other transfer of the                            
06       business to the other person.                                                                                     
07            (d)  A transfer of an individual's social security number for the sole purpose of                            
08       identifying a person about whom a report or database check is ordered, received, or                               
09       provided is not a sale, lease, loan, trade, or rental of a social security number under                           
10       this section.                                                                                                     
11            (e)  A person who knowingly violates (a) of this section is guilty of a class A                              
12       misdemeanor. In this subsection, "knowingly" has the meaning given in AS 11.81.900.                               
13            Sec. 45.48.430. Disclosure. (a) A person doing business, including the                                     
14       business of government, may not disclose an individual's social security number to a                              
15       third party.                                                                                                      
16            (b)  The prohibition in (a) of this section does not apply if                                                
17                 (1)  the disclosure is authorized by local, state, or federal law, including                            
18       a regulation adopted under AS 45.48.470;                                                                          
19                 (2)  the person is engaging in the business of government and                                           
20                      (A)  is authorized by law to disclose the individual's social                                      
21            security number; or                                                                                          
22                      (B)  the disclosure of the individual's social security number is                                  
23            required for the performance of the person's duties or responsibilities as                                   
24            provided by law;                                                                                             
25                 (3)  the disclosure is to a person subject to or for a transaction regulated                            
26       by the Gramm-Leach-Bliley Financial Modernization Act, and the disclosure is for a                                
27       purpose authorized by the Gramm-Leach-Bliley Financial Modernization Act or to                                    
28       facilitate a transaction of the individual;                                                                       
29                 (4)  the disclosure is to a person subject to or for a transaction regulated                            
30       by the Fair Credit Reporting Act, and the disclosure is for a purpose authorized by the                           
31       Fair Credit Reporting Act;                                                                                        
01                 (5)  the disclosure is part of a report prepared by a consumer credit                                   
02       reporting agency in response to a request by a person and the person submits the social                           
03       security number as part of the request to the consumer credit reporting agency for the                            
04       preparation of the report; or                                                                                     
05                 (6)  the disclosure is for a background check on the individual, identity                               
06       verification, fraud prevention, medical treatment, law enforcement or other                                       
07       government purposes, or the individual's employment, including employment benefits.                               
08            Sec. 45.48.440. Interagency disclosure. Notwithstanding the other provisions                               
09       of AS 45.48.400 - 45.48.480, a state or local governmental agency may disclose an                                 
10       individual's social security number to another state or local governmental agency or to                           
11       an agency of the federal government if the disclosure is required in order for the                                
12       agency to carry out the agency's duties and responsibilities.                                                     
13            Sec. 45.48.450. Exception for employees, agents, and independent                                           
14       contractors. (a) Notwithstanding the other provisions of AS 45.48.400 - 45.48.480, a                            
15       person may disclose an individual's social security number to an employee or agent of                             
16       the person for a legitimate purpose established by and as directed by the person, but                             
17       the employee or agent may not use the social security number for another purpose or                               
18       make an unauthorized disclosure of the individual's personal information.                                         
19            (b)  Notwithstanding the other provisions of AS 45.48.400 - 45.48.480, and                                   
20       except as provided for an agent under (a) of this section, a person may disclose an                               
21       individual's social security number to an independent contractor of the person to                                 
22       facilitate the purpose or transaction for which the individual initially provided the                             
23       social security number to the person, but the independent contractor may not use the                              
24       social security number for another purpose or make an unauthorized disclosure of the                              
25       individual's personal information. In this subsection, "independent contractor"                                   
26       includes a debt collector.                                                                                        
27            Sec. 45.48.460. Employment-related exception. The provisions of                                            
28       AS 45.48.400 - 45.48.480 may not be construed to restrict a person's use or exchange                              
29       of an individual's social security number                                                                         
30                 (1)  in the course of the administration of a claim, benefit, or procedure                              
31       related to the individual's employment by the person, including the individual's                                  
01       termination from employment, retirement from employment, and injury suffered                                      
02       during the course of employment; or                                                                               
03                 (2)  to check on an unemployment insurance claim of the individual.                                   
04            Sec. 45.48.470. Agency regulations. If regulations are necessary in order for a                          
05       state agency to carry out the state agency's duties and responsibilities, a state agency                          
06       may adopt regulations under AS 44.62 (Administrative Procedure Act) to establish                                  
07       when the state agency or a person regulated by the state agency may                                               
08                 (1)  print an individual's social security number on material that is                                   
09       mailed to the individual;                                                                                         
10                 (2)  demand proof from an individual of the individual's social security                                
11       number, collect from an individual the individual's social security number, or submit                             
12       an individual's social security number to a local, state, or federal agency;                                      
13                 (3)  ask an individual to provide the state agency with the individual's                                
14       social security number;                                                                                           
15                 (4)  disclose an individual's social security number to a third party;                                  
16                 (5)  sell, lease, loan, trade, or rent an individual's social security number                           
17       to a third party.                                                                                                 
18            Sec. 45.48.480. Penalties. (a) A person who knowingly violates AS 45.48.400                                
19       - 45.48.430 is liable to the state for a civil penalty not to exceed $3,000.                                      
20            (b)  An individual may bring a civil action in court against a person who                                    
21       knowingly violates AS 45.48.400 - 45.48.430 and may recover actual economic                                       
22       damages, court costs allowed by the rules of court, and full reasonable attorney fees.                            
23            (c)  In this section, "knowingly" has the meaning given in AS 11.81.900.                                     
24                       Article 4. Disposal of Records.                                                                 
25            Sec. 45.48.500. Disposal of records. (a) When disposing of records that                                    
26       contain personal information, a business and a governmental agency shall take all                                 
27       reasonable measures necessary to protect against unauthorized access to or use of the                             
28       records.                                                                                                          
29            (b)  Notwithstanding (a) of this section, if a business or governmental agency                               
30       has otherwise complied with the provisions of AS 45.48.500 - 45.48.590 in the                                     
31       selection of a third party engaged in the business of record destruction, the business or                         
01       governmental agency is not liable for the disposal of records under AS 45.48.500 -                                
02       45.48.590 after the business or governmental agency has relinquished control of the                               
03       records to the third party for the destruction of the records.                                                    
04            (c)  A business or governmental agency is not liable for the disposal of records                             
05       under AS 45.48.500 - 45.48.590 after the business or governmental agency has                                      
06       relinquished control of the records to the individual to whom the records pertain.                                
07            Sec. 45.48.510. Measures to protect access. The measures that may be taken                                 
08       to comply with AS 45.48.500 include                                                                               
09                 (1)  implementing and monitoring compliance with policies and                                           
10       procedures that require the burning, pulverizing, or shredding of paper documents                                 
11       containing personal information so that the personal information cannot practicably be                            
12       read or reconstructed;                                                                                            
13                 (2)  implementing and monitoring compliance with policies and                                           
14       procedures that require the destruction or erasure of electronic media and other                                  
15       nonpaper media containing personal information so that the personal information                                   
16       cannot practicably be read or reconstructed;                                                                      
17                 (3)  after due diligence, entering into a written contract with a third                                 
18       party engaged in the business of record destruction to dispose of records containing                              
19       personal information in a manner consistent with AS 45.48.500 - 45.48.590.                                        
20            Sec. 45.48.520. Due diligence. In AS 45.48.510(3), due diligence ordinarily                                
21       includes performing one or more of the following:                                                                 
22                 (1)  reviewing an independent audit of the third party's operations and                                 
23       its compliance with AS 45.48.500 - 45.48.590;                                                                     
24                 (2)  obtaining information about the third party from several references                                
25       or other reliable sources and requiring that the third party be certified by a recognized                         
26       trade association or similar organization with a reputation for high standards of quality                         
27       review; or                                                                                                        
28                 (3)  reviewing and evaluating the third party's information security                                    
29       policies and procedures, or taking other appropriate measures to determine the                                    
30       competency and integrity of the third party.                                                                      
31            Sec. 45.48.530. Policy and procedures. A business or governmental agency                                   
01       shall adopt written policies and procedures that relate to the adequate destruction and                           
02       proper disposal of records containing personal information and that are consistent with                           
03       AS 45.48.500 - 45.48.590.                                                                                         
04            Sec. 45.48.540. Exemptions. (a) A business or a governmental agency is not                                 
05       required to comply with AS 45.48.500 - 45.48.530 if federal law requires that the                                 
06       business or governmental agency act in a way that does not comply with AS 45.48.500                               
07       - 45.48.530.                                                                                                      
08            (b)  A business is not required to comply with AS 45.48.500 - 45.48.530 if                                   
09                 (1)  the business is subject to and in compliance with the Gramm-                                       
10       Leach-Bliley Financial Modernization Act; or                                                                      
11                 (2)  the manner of the disposal of the records of the business is subject                               
12       to 15 U.S.C. 1681w (Fair Credit Reporting Act) and the business is complying with 15                              
13       U.S.C. 1861w.                                                                                                     
14            Sec. 45.48.550. Civil penalty. (a) An individual, a business, or a governmental                            
15       agency that knowingly violates AS 45.48.500 - 45.48.590 is liable to the state for a                            
16       civil penalty not to exceed $3,000.                                                                               
17            (b)  In this section, "knowingly" has the meaning given in AS 11.81.900.                                     
18            Sec. 45.48.560. Court action. An individual who is damaged by a violation of                               
19       AS 45.48.500 - 45.48.590 may bring a civil action in court to enjoin further violations                           
20       and to recover for the violation actual economic damages, court costs allowed by the                              
21       rules of court, and full reasonable attorney fees.                                                                
22            Sec. 45.48.590. Definitions. In AS 45.48.500 - 45.48.590,                                                  
23                 (1)  "business" means a person who conducts business in the state or a                                  
24       person who conducts business and maintains or otherwise possesses personal                                        
25       information on state residents; in this paragraph,                                                                
26                      (A)  "conducts business" includes engaging in activities as a                                      
27            financial institution organized, chartered, or holding a license or authorization                            
28            certificate under the laws of this state, another state, the United States, or                               
29            another country;                                                                                             
30                      (B)  "possesses" includes possession for the purpose of                                            
31            destruction;                                                                                                 
01                 (2)  "dispose" means                                                                                    
02                      (A)  the discarding or abandonment of records containing                                           
03            personal information;                                                                                        
04                      (B)  the sale, donation, discarding, or transfer of                                                
05                           (i)  any medium, including computer equipment or                                              
06                 computer media, that contains records of personal information;                                          
07                           (ii)  nonpaper media, other than that identified under (i)                                    
08                 of this subparagraph, on which records of personal information are                                      
09                 stored; and                                                                                             
10                           (iii)  equipment for nonpaper storage of information;                                         
11                 (3)  "governmental agency" means a state or local governmental                                          
12       agency, except for an agency of the judicial branch;                                                              
13                 (4)  "personal information" means                                                                       
14                      (A)  an individual's passport number, driver's license number,                                     
15            state identification number, bank account number, credit card number, debit                                  
16            card number, other payment card number, financial account information, or                                    
17            information from a financial application; or                                                                 
18                      (B)  a combination of an individual's                                                              
19                           (i)  name; and                                                                                
20                           (ii)  medical information, insurance policy number,                                           
21                 employment information, or employment history;                                                          
22                 (5)  "records" means material on which information that is written,                                     
23       drawn, spoken, visual, or electromagnetic is recorded or preserved, regardless of                                 
24       physical form or characteristics, but does not include publicly available information                             
25       containing names, addresses, telephone numbers, or other information an individual                                
26       has voluntarily consented to have publicly disseminated or listed.                                                
27    Article 5. Factual Declaration of Innocence after Identity Theft; Right to File Police                             
28                      Report Regarding Identity Theft.                                                                 
29            Sec. 45.48.600. Factual declaration of innocence after identity theft. (a) A                               
30       victim of identity theft may petition the superior court for a determination that the                             
31       victim is factually innocent of a crime if                                                                        
01                 (1)  the perpetrator of the identity theft was arrested for, cited for, or                              
02       convicted of the crime using the victim's identity;                                                               
03                 (2)  a criminal complaint was filed against the perpetrator of the                                      
04       identity theft; and                                                                                               
05                 (3)  the victim's identity was mistakenly associated with a record of a                                 
06       conviction for a crime.                                                                                           
07            (b)  In addition to a petition by a victim under (a) of this section, the                                    
08       department may petition the superior court for a determination under (a) of this                                  
09       section, or the superior court may, on its own motion, make a determination under (a)                             
10       of this section.                                                                                                  
11            Sec. 45.48.610. Basis for determination. A determination of factual                                        
12       innocence under AS 45.48.600 may be heard and made on declarations, affidavits,                                   
13       police reports, or other material, relevant, and reliable information submitted by the                            
14       parties or ordered to be made a part of the record by the court.                                                  
15            Sec. 45.48.620. Criteria for determination; court order. (a) A court may                                   
16       determine that a petitioner under AS 45.48.600 is factually innocent of a crime if the                            
17       court finds beyond a reasonable doubt that                                                                        
18                 (1)  the petitioner is a victim of identity theft;                                                      
19                 (2)  the petitioner did not commit the offense for which the perpetrator                                
20       of the identity theft was arrested, cited, or convicted;                                                          
21                 (3)  the petitioner filed a criminal complaint against the perpetrator of                               
22       the identity theft; and                                                                                           
23                 (4)  the petitioner's identity was mistakenly associated with a record of                               
24       conviction for the crime.                                                                                         
25            (b)  If a court finds under this section that the victim is factually innocent of a                          
26       crime, the court shall issue an order indicating this determination of factual innocence                          
27       and shall provide the victim with a copy of the order.                                                            
28            Sec. 45.48.630. Orders regarding records. After a court issues an order under                              
29       AS 45.48.620, the court may order the name and associated personal information of                                 
30       the victim of identity theft that is contained in the files, indexes, and other records of                        
31       the court that are accessible by the public labeled to show that the name and personal                            
01       information of the victim of identity theft is incorrect.                                                         
02            Sec. 45.48.640. Vacation of determination. A court that has issued an order                                
03       under AS 45.48.620 may, at any time, vacate the order if the petition, or any                                     
04       information submitted in support of the petition, is found to contain a material                                  
05       misrepresentation, an omission, or false information.                                                             
06            Sec. 45.48.650. Court form. The supreme court of the state may develop a                                   
07       form to be used for the order under AS 45.48.620.                                                                 
08            Sec. 45.48.660. Database. The department may establish and maintain a                                      
09       database of individuals who have been victims of identity theft and who have received                             
10       an order under AS 45.48.620. The department shall provide a victim or the victim's                                
11       authorized representative access to a database established under this section to                                  
12       establish that the individual has been a victim of identity theft. Access to the database                         
13       established under this section is limited to criminal justice agencies, victims of identity                       
14       theft, and individuals and agencies authorized by the victims.                                                    
15            Sec. 45.48.670. Toll-free telephone number. The department may establish                                   
16       and maintain a toll-free telephone number to provide access to information in a                                   
17       database established under AS 45.48.660.                                                                          
18            Sec. 45.48.680. Right to file police report regarding identity theft. (a) Even                             
19       if the local law enforcement agency does not have jurisdiction over the theft of an                               
20       individual's identity, if an individual who has learned or reasonably suspects the                                
21       individual has been the victim of identity theft contacts, for the purpose of filing a                            
22       complaint, a local law enforcement agency that has jurisdiction over the individual's                             
23       actual place of residence, the local law enforcement agency shall make a report of the                            
24       matter and provide the individual with a copy of the report. The local law enforcement                            
25       agency may refer the matter to a law enforcement agency in a different jurisdiction.                              
26            (b)  This section is not intended to interfere with the discretion of a local law                            
27       enforcement agency to allocate its resources to the investigation of crime. A local law                           
28       enforcement agency is not required to count a complaint filed under (a) of this section                           
29       as an open case for purposes that include compiling statistics on its open cases.                                 
30            Sec. 45.48.690. Definitions. In AS 45.48.600 - 45.48.690,                                                  
31                 (1)  "crime" has the meaning given in AS 11.81.900;                                                     
01                 (2)  "department" means the Department of Law;                                                          
02                 (3)  "perpetrator" means the person who perpetrated the theft of an                                     
03       individual's identity;                                                                                            
04                 (4)  "victim" means an individual who is the victim of identity theft.                                  
05                  Article 6. Truncation of Card Information.                                                           
06            Sec. 45.48.750. Truncation of card information. (a) A person who accepts                                   
07       credit cards or debit cards for the transaction of business may not print more than the                           
08       last four digits of the card number or the expiration date on any receipt or other                                
09       physical record of the transaction provided at the point of the sale or transaction.                              
10            (b)  This section applies only to receipts that are electronically printed and does                          
11       not apply to transactions in which the sole means of recording a credit card or debit                             
12       card account number is by handwriting or by an imprint or copy of the card.                                       
13            (c)  A person may not sell a device that electronically prints more than the last                            
14       four digits of a credit card or debit card number or expiration date on a consumer                                
15       receipt for a business transaction or on a copy retained by a business person for a                               
16       business transaction.                                                                                             
17            (d)  An individual may bring a civil action in court against a person who                                    
18       knowingly violates (a) of this section and may recover actual economic damages,                                   
19       court costs allowed by the rules of court, and full reasonable attorney fees.                                     
20            (e)  A person who knowingly violates this section is liable to the state for a                               
21       civil penalty not to exceed $3,000.                                                                               
22            (f)  In this section,                                                                                        
23                 (1)  "credit" means the right granted by a creditor to a debtor to defer                                
24       payment of debt, to incur debts and defer payment of the debt, or to purchase property                            
25       or services and defer payment of the purchase;in this paragraph, "creditor" means a                              
26       person who regularly extends, renews, or continues credit, a person who regularly                                 
27       arranges for the extension, renewal, or continuation of credit, or an assignee of an                              
28       original creditor who participates in the decision to extend, renew, or continue credit;                          
29                 (2)  "credit card" means a card, plate, coupon book, or other credit                                    
30       device existing for the purpose of obtaining money, property, labor, or services on                               
31       credit;                                                                                                           
01                 (3)  "debit card" means a card issued by a financial institution to a                                   
02       consumer for use in initiating an electronic fund transfer from the account of the                                
03       consumer at the financial institution for the purpose of transferring money between                               
04       accounts or obtaining money, property, labor, or services;                                                        
05                 (4)  "knowingly" has the meaning given in AS 11.81.900.                                                 
06                       Article 7. General Provisions.                                                                  
07            Sec. 45.48.990. Definitions. In this chapter, unless the context indicates                                 
08       otherwise,                                                                                                        
09                 (1)  "consumer" means an individual;                                                                    
10                 (2)  "consumer credit reporting agency" means a person who, for                                         
11       monetary fees, dues, or on a cooperative nonprofit basis, regularly engages, in whole                             
12       or in part, in the practice of assembling or evaluating consumer credit information or                            
13       other information on consumers for the purpose of furnishing credit reports to third                              
14       parties;                                                                                                          
15                 (3)  "credit report" means a consumer report that a consumer credit                                     
16       reporting agency furnishes to a person that the consumer credit reporting agency has                              
17       reason to believe intends to use the consumer report as a factor in establishing the                              
18       consumer's eligibility for credit to be used primarily for personal, family, or household                         
19       purposes; in this paragraph, "consumer report" has the meaning given to "consumer                                 
20       report" in 15 U.S.C. 1681a(d) (Fair Credit Reporting Act), except that "consumer                                  
21       reporting agency" in 15 U.S.C. 1681a(d) is to be read as "consumer credit reporting                               
22       agency";                                                                                                          
23                 (4)  "Fair Credit Reporting Act" means 15 U.S.C. 1681 - 1681x;                                          
24                 (5)  "Gramm-Leach-Bliley Financial Modernization Act" means 15                                          
25       U.S.C. 6801 - 6827;                                                                                               
26                 (6)  "identity theft" means the theft of the identity of an individual;                                 
27                 (7)  "information system" means any information system, including a                                     
28       system consisting of digital databases and a system consisting of pieces of paper;                                
29                 (8)  "person" has the meaning given in AS 01.10.060 and includes a                                      
30       state or local governmental agency, except for an agency of the judicial branch;                                  
31                 (9)  "state resident" means an individual who satisfies the residency                                   
01       requirements under AS 01.10.055.                                                                                  
02            Sec. 45.48.995. Short title. This chapter may be cited as the Alaska Personal                              
03       Information Protection Act.                                                                                       
04    * Sec. 5. AS 45.50.471(b) is amended by adding a new paragraph to read:                                            
05                 (53)  an information collector, other than a governmental agency,                                       
06       violating AS 45.48.010 - 45.48.090 (breach of security involving personal                                         
07       information); in this paragraph,                                                                                  
08                      (A)  "governmental agency" has the meaning given in                                                
09            AS 45.48.090;                                                                                                
10                      (B)  "information collector" has the meaning given in                                              
11            AS 45.48.090.                                                                                                
12    * Sec. 6. The uncodified law of the State of Alaska is amended by adding a new section to                          
13 read:                                                                                                                   
14       INDIRECT COURT RULE AMENDMENTS. (a) AS 45.48.640, enacted by sec. 4 of                                            
15 this Act, has the effect of changing Rule 60(b), Alaska Rules of Civil Procedure, by allowing                           
16 a court to vacate an order on its own motion and at any time and by establishing a specific                             
17 criterion for vacating the order under AS 45.48.640.                                                                    
18       (b)  AS 45.48.200(a), 45.48.480(b), 45.48.560, and 45.48.750(d), enacted by sec. 4 of                             
19 this Act, have the effect of changing Rule 82, Alaska Rules of Civil Procedure, by changing                             
20 the criteria for determining the amount of attorney fees to be awarded to a party in an action                          
21 under AS 45.48.200(a), 45.48.480(b), 45.48.560, or 45.48.750(d).                                                        
22    * Sec. 7. The uncodified law of the State of Alaska is amended by adding a new section to                          
23 read:                                                                                                                   
24       TRANSITION: REGULATIONS. A state agency may proceed to adopt regulations                                          
25 necessary to implement this Act. The regulations take effect under AS 44.62 (Administrative                             
26 Procedure Act), but not before the effective date of the law implemented by the regulation.                             
27    * Sec. 8. AS 45.48.470, enacted by sec. 4 of this Act, takes effect immediately under                              
28 AS 01.10.070(c).                                                                                                        
29    * Sec. 9. Section 7 of this Act takes effect immediately under AS 01.10.070(c).                                    
30    * Sec. 10. Except as provided by secs. 8 and 9 of this Act, this Act takes effect July 1, 2009.                    
New Text Underlined     [DELETED TEXT BRACKETED]