Bill Text 24th Legislature
Basis
Navigation
- Bills
- Committees
- Session
- Session Laws
- Tools
- Archive
-
00 SENATE BILL NO. 149
01 "An Act relating to breaches of security involving personal information; and relating to
02 credit report security freezes."
03 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA:
04 * Section 1. AS 45 is amended by adding a new chapter to read:
05 Chapter 48. Information Security.
06 Article 1. Breach of Security Involving Personal Information.
07 Sec. 45.48.010. Disclosure of breach of security. (a) If a person engages in
08 business activities in the state, uses in the business an information system that includes
09 personal information, and a breach of the security of the system occurs, the person
10 shall, after discovering the breach, disclose the breach to each state resident whose
11 personal information, if unencrypted, was, or is reasonably believed to have been,
12 acquired by an unauthorized person due to the breach.
13 (b) A person shall make the disclosure required by (a) of this section in the
14 most expedient time possible and without unreasonable delay, except as provided in
01 AS 45.48.020 and 45.48.040 and as necessary to determine the scope of the breach
02 and restore the reasonable integrity of the information system.
03 (c) In this section, "business activities" means business activities that provide
04 at least the minimum contacts required by substantive due process for the state to
05 exercise jurisdiction over the person who is engaging in the business activities.�
06 Sec. 45.48.020. Notification of law enforcement. A person may delay
07 making the disclosures required by AS 45.48.010 if the Department of Law
08 determines that the disclosures would compromise an investigation by the Department
09 of Law.
10 Sec. 45.48.030. Methods of notice. A person shall make the disclosures
11 required by AS 45.48.010
12 (1) by a written document that is personally delivered or mailed;
13 (2) by electronic means, if the electronic means is allowed under 15
14 U.S.C. 7001 et seq. (Electronic Signatures in Global and National Commerce Act); or
15 (3) if the person demonstrates that the cost of providing notice would
16 exceed $250,000, that the affected class of persons to be notified exceeds 500,000, or
17 that the business does not have sufficient contact information to provide notice, by
18 (A) electronic mail if the business has an electronic mail
19 address for the person;
20 (B) conspicuously posting the disclosure on the Internet site of
21 the person, if the person maintains an Internet site; and
22 (C) providing a notice to major statewide media.
23 Sec. 45.48.040. Exception for disclosure policy. If the person described in
24 AS 45.48.010 maintains for the business disclosure procedures as part of an
25 information security policy for the treatment of personal information, and the timing
26 of disclosures under the policy is consistent with AS 45.48.010(b), the person may
27 make the disclosure required by AS 45.48.010(a) under the disclosure procedures
28 maintained by the person.
29 Sec. 45.48.050. Exception for employees and agents. In AS 45.48.010 -
30 45.48.090, the good faith acquisition of personal information by an employee or agent
31 of the person described in AS 45.48.010 for the purposes of the business is not a
01 breach of the security of the information system, if the employee or agent does not use
02 the personal information for a purpose unrelated to the business and does not make
03 further unauthorized disclosure of the personal information.
04 Sec. 45.48.060. Waivers. A waiver of AS 45.48.010 - 45.48.090 is void and
05 unenforceable.
06 Sec. 45.48.070. Violations. (a) If a person violates AS 45.48.010 -
07 45.48.090, an individual may bring a civil action in court to
08 (1) recover the damages suffered by the individual;
09 (2) enjoin the person from further violations of AS 45.48.010 -
10 45.48.090.
11 (b) If a person violates or proposes to violate AS 45.48.010 - 45.48.090, the
12 state may bring a civil action in court to enjoin the person from violating or continuing
13 to violate AS 45.48.010 - 45.48.090.
14 (c) The rights and remedies available under this section are in addition to any
15 other rights and remedies available under another law.
16 Sec. 45.48.090. Definitions. In AS 45.48.010 - 45.48.090,
17 (1) "breach of the security" means unauthorized acquisition of
18 information that compromises the security, confidentiality, or integrity of personal
19 information maintained by the business;
20 (2) "personal information" means information that is not available to
21 the general public from federal, state, or local government records and that consists of
22 a combination of an individual's first name or first initial, the individual's last name,
23 and one or more of the following information elements, when the name or the
24 information elements are not encrypted:
25 (A) the individual's social security number;
26 (B) the number of the individual's driver's license or state
27 identification card;
28 (C) the combination of the number of the individual's financial
29 institution account, credit card account, or debit card account, and any required
30 security code, access code, or password that permits access to an individual's
31 financial institution account, credit card account, or debit card account;
01 (3) "state resident" means an individual who satisfies the residency
02 requirements under AS 01.10.055.
03 Article 2. Credit Report Security Freezes.
04 Sec. 45.48.100. Security freeze authorized. A consumer may prohibit a
05 credit reporting agency from releasing all or a part of a consumer's credit report or
06 information derived from the credit report without the express authorization of the
07 consumer by placing a security freeze on the consumer's credit report.
08 Sec. 45.48.110. Placement of security freeze. (a) To place a security freeze,
09 a consumer shall
10 (1) make the request to the credit reporting agency by certified mail;
11 and
12 (2) provide the credit reporting agency with proper identification.
13 (b) A credit reporting agency shall place a security freeze within five business
14 days after receiving a request under (a) of this section.
15 Sec. 45.48.120. Confirmation of security freeze. (a) Within 10 business
16 days after a consumer makes the request under AS 45.48.110, a credit reporting
17 agency shall send a written confirmation of the placement of the security freeze to the
18 consumer.
19 (b) At the same time that the credit reporting agency sends a confirmation
20 under (a) of this section, the credit reporting agency shall provide the consumer with a
21 unique personal identification number or password to be used by the consumer when
22 the consumer authorizes the release under AS 45.48.130 of the consumer's credit
23 report or information derived from the report.
24 Sec. 45.48.130. Access and actions during security freeze. (a) While a
25 security freeze is in place, a credit reporting agency shall allow a third party access to
26 a consumer's credit report or information derived from the credit report if the
27 consumer requests that the credit reporting agency allow the access.
28 (b) To make a request under (a) of this section, the consumer shall contact the
29 credit reporting agency, authorize the credit reporting agency to allow the access, and
30 provide the credit reporting agency with
31 (1) proper identification;
01 (2) the unique personal identification number or password provided
02 under AS 45.48.120(b); and
03 (3) the proper information necessary to identify the third party to
04 whom the credit reporting agency may allow the access or the time period during
05 which the credit reporting agency may allow the access to third parties who request
06 the access.
07 (c) A consumer reporting agency that receives a request from a consumer
08 under (b) of this section shall comply with the request within three business days after
09 receiving the request.
10 (d) A credit reporting agency may develop procedures involving the use of
11 telephone, facsimile, or, if the consumer consents under 15 U.S.C. 7001 (Electronic
12 Signatures in Global and National Commerce Act), the Internet or other electronic
13 media to receive and process a request from a consumer under (a) of this section in an
14 expedited manner.
15 (e) If a security freeze is in place, a credit reporting agency may not release
16 the credit report or information derived from the credit report to a third party without
17 the prior express authorization of the consumer.
18 (f) If a security freeze is in place, if a third party applies to a credit reporting
19 agency to provide the third party with access to the consumer's credit report or
20 information derived from the credit report, and if the consumer does not allow access
21 for that specific party or during that specific period of time, the credit reporting agency
22 may treat the third party's application as incomplete.
23 (g) A credit reporting agency shall notify a consumer that a third party has
24 attempted to access the consumer's credit report or information derived from the report
25 if a third party requests a credit reporting agency to provide the third party with access
26 to the credit report or information, a security freeze has been placed, and the purpose
27 of the access is not for the sole purpose of account review.
28 (h) This section is not intended to prevent a credit reporting agency from
29 advising a third party who requests access to a consumer's credit report or information
30 derived from the credit report that a security freeze is in effect.
31 Sec. 45.48.140. Removal of security freeze. (a) Except as provided by
01 AS 45.48.130, a credit reporting agency may not remove a security freeze unless
02 (1) the consumer requests that the credit reporting agency remove the
03 security freeze under (b) of this section; or
04 (2) the consumer made a material misrepresentation of fact to the
05 credit reporting agency when the consumer requested the security freeze under
06 AS 45.48.110; if a credit reporting agency intends to remove a security freeze on a
07 consumer's credit report under this paragraph, the credit reporting agency shall notify
08 the consumer in writing before removing the security freeze.
09 (b) A credit reporting agency shall remove a security freeze placed under
10 (a)(1) of this section within three business days after receiving a request for removal
11 from the consumer who requested the security freeze if the consumer provides proper
12 identification to identify the consumer and the unique personal identification number
13 or password provided by the consumer reporting agency under AS 45.48.120.
14 Sec. 45.48.150. Disclosure of process. If a consumer requests a security
15 freeze under AS 45.48.100, the credit reporting agency shall disclose to the consumer
16 the process under AS 45.48.100 - 45.48.290 of placing a security freeze, allowing
17 access to a third party during a security freeze, and allowing access during a specific
18 period of time during a security freeze.
19 Sec. 45.48.160. Charges. A credit reporting agency may not charge a
20 consumer more than
21 (1) $2 for each time that the consumer places a security freeze under
22 AS 45.48.100 or allows access for a specific person during a security freeze under
23 AS 45.48.130; or
24 (2) $4 for each time that the consumer allows access for a specific
25 period of time under AS 45.48.130.
26 Sec. 45.48.170. Additional identification information. A credit reporting
27 agency may require additional information about the consumer's employment,
28 personal history, and family history in order to verify the consumer's identity only if
29 the consumer is unable to reasonably identify the consumer with proper identification.
30 Sec. 45.48.180. Duties during security freeze. (a) If a security freeze is in
31 place, a credit reporting agency may not change a consumer's name, date of birth,
01 social security number, or address in the consumer's credit report without sending a
02 written confirmation of the change to the consumer within 30 days after the change is
03 posted to the consumer's file.
04 (b) Written confirmation under (a) of this section is not required for a
05 technical modification of a consumer's name, date of birth, social security number, or
06 address, including making or expanding abbreviations, correcting spellings, or
07 correcting transposed numbers or letters.
08 (c) In the case of an address change under (a) of this section, the written
09 confirmation shall be sent to both the new address and the former address.
10 Sec. 45.48.190. Violations�and remedies. (a) A consumer who suffers
11 damages as a result of a person's violation of AS 45.48.100 - 45.48.290 may bring an
12 action in court against the person and recover, in the case of a violation where the
13 person acted
14 (1) negligently, actual damages, including loss of wages, and, when
15 applicable, damages for pain and suffering;
16 (2) knowingly,
17 (A) damages as described in (1) of this subsection;
18 (B) punitive damages that are not less than $100 nor more than
19 $5,000 for each violation as the court determines to be appropriate; and
20 (C) other relief that the court determines to be appropriate.
21 (b) A consumer may bring an action in court against a person for a violation or
22 threatened violation of AS 45.48.100 - 45.48.290 for injunctive relief, whether or
23 not the consumer seeks another remedy under this section.
24 (c) Notwithstanding (a)(2) of this section, a person who knowingly violates
25 AS 45.48.100 - 45.48.290 is liable in a class action for an amount that the court
26 allows. When determining the amount of an award in a class action under this
27 subsection, the court shall consider, among the relevant factors, the amount of any
28 actual damages awarded, the frequency of the violations, the resources of the violator,
29 and the number of consumers adversely affected.
30 (d) In this section, "knowingly" has the meaning given in AS 11.81.900.
31 Sec. 45.48.270. Reports not covered. The provisions of AS 45.48.100 -
01 45.48.290 do not apply to a credit report if the credit report is
02 (1) a report that only contains information relating to transactions or
03 experiences between the consumer and the person making the report;
04 (2) a communication of the information that is described in (1) of this
05 section or that is taken from a credit application by a consumer, if
06 (A) the communication is limited to internal communication
07 within the organization of the person making the report or made to another
08 person who is owned by, or affiliated with, the person making the report; and
09 (B) the consumer is informed by a clear and conspicuous
10 written disclosure that the information contained in the credit application may
11 be communicated as allowed under (A) of this paragraph, except that, if a
12 credit application is taken by telephone, the consumer shall initially be
13 informed orally when the application is taken, and a clear and conspicuous
14 written disclosure shall be made to the consumer in the first written
15 communication to the consumer after the application is taken;
16 (3) an authorization or approval of a specific extension of credit
17 directly or indirectly by the issuer of a credit card or similar device;
18 (4) a report that conveys a person's decision whether to make a specific
19 extension of credit directly or indirectly to a consumer in response to a request by a
20 third party if the third party advises the consumer of the name and address of the
21 person to whom the request was made;
22 (5) a report containing information solely about a consumer's
23 character, general reputation, personal characteristics, or mode of living and the
24 information is obtained through personal interviews with neighbors, friends, or
25 associates of the consumer reported on, or others with whom the consumer is
26 acquainted or who may have knowledge concerning those items of information; or
27 (6) a consumer credit report furnished for use in connection with a
28 transaction that consists of an extension of credit to be used solely for a commercial
29 purpose.
30 Sec. 45.48.280. Exemptions. (a) The provisions of AS 45.48.100 - 45.48.290
31 do not apply to the use of a credit report by
01 (1) a person, if the purpose of the person's use is account review or
02 collection of a financial obligation owing for an account, contract, or negotiable
03 instrument, and the consumer
04 (A) has, or had before an assignment of the account or contract
05 by the person, an account or contract with the person, including a demand
06 deposit account; or
07 (B) issued a negotiable instrument to the person;
08 (2) a subsidiary, an affiliate, an agent, an assignee, or a prospective
09 assignee of a person to whom access has been granted under AS 45.48.130 if the
10 purpose of the use is to facilitate the extension of credit or another permissible use;
11 (3) when acting under a court order, warrant, or subpoena, a state
12 agency, an agency of a political subdivision of the state, a law enforcement agency, a
13 court, or a private debt collection agency;
14 (4) an agency of a state or municipality that administers a program for
15 establishing and enforcing child support obligations;
16 (5) the Department of Health and Social Services, its agents, or its
17 assigns when investigating fraud;
18 (6) the Department of Revenue, its agents, or its assigns when
19 investigating or collecting delinquent taxes or unpaid court orders or when
20 implementing its other statutory responsibilities;
21 (7) a person if the purpose of the use is prescreening allowed under 15
22 U.S.C. 1681 - 1681w (Fair Credit Reporting Act);
23 (8) a person administering a credit file monitoring subscription service
24 to which the consumer has subscribed;
25 (9) a person providing a consumer with a copy of the consumer's credit
26 report at the consumer's request.
27 (b) In (a)(1) of this section, "person" includes the person's subsidiary, affiliate,
28 or agent, an assignee of a financial obligation owed by the consumer to the person, or
29 a prospective assignee of a financial obligation owed by the consumer to the person
30 when in conjunction with the proposed purchase of the financial obligation.
31 Sec. 45.48.290. Definitions. In AS 45.48.100 - 45.48.290,
01 (1) "account review" includes activities related to account
02 maintenance, account monitoring, account credit line increases, and account upgrades
03 and enhancements;
04 (2) "affiliate" means�a corporation that directly, or�indirectly through
05 one or more intermediaries, controls, is controlled by, or is under common control
06 with another corporation; in this paragraph, �control" means the possession, direct or
07 indirect, of the power to direct or cause the direction of the management and policies
08 of a corporation;
09 (3) "consumer" means an individual;
10 (4) "credit report" means a written, oral, or other communication of
11 information by a credit reporting agency bearing on a consumer's credit worthiness,
12 credit standing, or credit capacity if the communication is used or expected to be used,
13 or collected in whole or in part, to serve as a factor in establishing the consumer's
14 eligibility for
15 (A) credit to be used primarily for personal, family, or
16 household purposes;
17 (B) employment purposes;
18 (C) the rental of a dwelling unit; or
19 (D) any other purpose authorized under section 15 U.S.C.
20 1681b;
21 (5) "credit reporting agency" means a person who, for monetary fees,
22 dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the
23 business of assembling or evaluating consumer credit information or other information
24 on consumers for the purpose of furnishing credit reports to third parties, and these
25 activities provide at least the minimum contacts required by substantive due process
26 for the state to exercise jurisdiction over the person who is engaging in the activities;
27 "credit reporting agency" does not include a governmental agency whose records are
28 maintained primarily for traffic safety, law enforcement, or licensing purposes;
29 (6) "employment purposes" means, when used in connection with a
30 consumer credit report, a report used for the purpose of evaluating a consumer for
31 employment, promotion, reassignment, or retention as an employee;
01 (7) "file" means, when used in connection with information on a
02 consumer, all of the information on that consumer recorded and retained by a credit
03 reporting agency, regardless of how the information is stored;
04 (8) "permissible use" means a permissible use under 15 U.S.C. 1681b;
05 (9) "person" has the meaning given in AS 01.10.060 and includes a
06 governmental body, a governmental subdivision, or a governmental agency;
07 (10) "proper identification" means the information generally
08 considered sufficient to identify a person;
09 (11) "security freeze" means a prohibition against a credit reporting
10 agency from releasing all or a part of a consumer's credit report or information derived
11 from the credit report without the express authorization of the consumer.
12 Article 3. General Provisions.
13 Sec. 45.48.300. Relationship to federal law. If a provision of this chapter is
14 preempted by or conflicts with federal law in a particular situation, the provision does
15 not apply to the extent of the preemption or conflict.
