490 likes | 587 Views
A Summary of CS for House Bill 65 (Jud) – A Presentation to the HCCA Alaska Local Annual Conference. Joan Wilson Asst Attorney General State of Alaska Joan.Wilson@alaska.gov. House Bill 65.
E N D
A Summary of CS for House Bill 65 (Jud) – A Presentation to the HCCA Alaska Local Annual Conference Joan Wilson Asst Attorney General State of Alaska Joan.Wilson@alaska.gov
House Bill 65 An Act relating to Breaches of security involving personal information, protection of social security numbers, and disposal of records
Remember • This is still a bill • In House Finance • Needs advancement from the House and consideration of Senate • Approval by Governor • If unaddressed concerns of Health Care Compliance Association • Utilize legislative process
Personal Information Protection Act • Article 1 – Disclosure of security breach • Article 2 – Credit Report and Credit Score Security Freeze • Article 3 – Protection of Social Security Number • Article 4 – Disposal of Records • Article 5 – Identity Theft • Article 6 – Truncation of Card Number • Article 7 – General Provisions
Personal Information Protection Act • We won’t discuss • Article 2 -- credit reporting and credit score security freezes • Article 5 -- Identity theft
Personal Information Protection Act • Article 7 – General Provisions • Definitions impacting all Articles • Consumer -- individual • Consumer credit reporting agency • Credit report • Information system – any information system, including a system consisting of digital databases and a system consisting of pieces of paper • Person – includes business entities, associations, and natural persons • State resident – Meets tests of AS 01.10.055 • Physically present with the intent to remain indefinitely and make a home • After establishing residency, consistent absences with residency acceptable
Personal Information Protection Act • Article 1 – Breach of Security Involving Personal Information
Personal Information Protection Act • Definitions • Information Collector: person who owns or uses personal information in any form if the personal information includes information on a state resident • Information Distributor: a person who is an information collector and who owns or licenses personal information to an information recipient
Personal Information Protection Act • Definitions • Information Recipient: person who is an information collector but who does not own or have the right to license to another information collector the personal information received from the information distributor • Governmental Agency • State or local government agency, except for the judicial branch
Personal Information Protection Act • Definitions • Personal information: information in any form on an individual that is not encrypted or redacted, or is encrypted but the encryption key is accessed or acquired, and that consists of a combination of the following information
Personal Information Protection Act • Definitions • Personal Information • An Individual’s Name, address, or telephone Number, and • One or more of the following • Social security number • Driver’s license number • State ID number • Account number or • Passwords or access codes
Personal Information Protection Act • Definitions • Breach of Security • An unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the information collector • Acquisition includes acquisition by • photocopying, facsimile or other paper-based method • a device, including a computer, that can read, write, or store information that is represented in numerical form, or • Any other method
Personal Information Protection Act • Not a breach • The good faith acquisition of personal information by an employee or agent of an information collector for a legitimate purpose of the information collector is not a breach if the employee or agent does not use the information for an illegitimate purpose and does not make an unauthorized disclosure of the information • Does not define “unauthorized disclosure” -- by law or individual
Personal Information Protection Act • Rule on disclosure • If a person owns or uses personal information that includes personal information on a state resident and a breach of security of an information system occurs, the person shall, disclose the breach to each state resident whose personal information was subject to the breach
Personal Information Protection Act • Rule on Disclosure • An information collector will disclose the breach in the most expeditious time possible and without unreasonable delay except • As permitted under AS 45.48.020 and • As necessary to determine the scope of the breach and restore the integrity of the information system • AS 45.48.020 – allowable delay • Law enforcement agency determines disclosure interferes with ongoing investigation • Disclose as expeditiously as possible after receipt of written notice from agency that disclosure no longer interferes
Personal Information Protection Act • Methods of Notice • Written document sent to most recent address the information collector has • Electronic means in compliance with 15 U.S.C. 7001 (Electronic Signatures in Global and International Commerce Act) • Cost Effective Means (if qualify) • Electronic mail • Conspicuous posting on collector’s website and • Notice to major statewide media
Personal Information Protection Act • Methods of Notice • Qualification for Cost Effective Means • Demonstrate notice by first methods would exceed $150,000 or • Demonstrate affected class of state residents exceeds 300,000 or • Demonstrate that the information collector does not have sufficient contact information to provide notice
Personal Information Protection Act • Notification to consumer credit reporting agencies • If notification required to 1,000 or more state residents, the information collector shall also notify consumer credit reporting agencies of the breach • This section may not be construed to require the collector to identify the names of individuals subject to the breach • This section does not apply to an information collector subject to the Gramm-Leach-Bliley Financial Modernization Act (15 U.S.C. 6801-6827)
Personal Information Protection Act • No waiver of notification permitted • Treatment of certain breaches • If there is a breach of an information recipient’s information system, the recipient need not give notice to the state residents, but must notify the information distributor • The information distributor must give notice as if the breach occurred to the distributor’s information system
Personal Information Protection Act • Penalties • If an information collector is a government agency • Liable to the state up to $500 for each resident who is not notified up to $50,000 • Enjoined from further violations • Department of Administration enforces • Apply APA and Office of Admin Hearings Procedures • If an information collector is not a government agency • Violation is an unfair or deceptive act or practice under AS 45.50.471 - 45.50.561 • Private and class actions • Three times actual damages or $500 whichever is greater • Not liable for penalty under AS 45.50.551 • Is liable to state for a penalty up to $500 for each resident who is not notified up to $50,000
Personal Information Protection Act • Article 2 – Credit Report and Credit Score Security Freeze • Not discussing • Review if you think it impacts your association or organization
Personal Information Protection Act • Article 3 – Protection of Social Security Number
Personal Information Protection Act • Use of Social Security Number • General Rule -- A person may not • Intentionally communicate or otherwise make available to the general public an individual’s social security number • Print an individual’s social security number on a card required to access products or services • Require an individual to transmit the individual’s SSN over the internet unless the connection is secure or the ssn is encrypted
Personal Information Protection Act • Use of Social Security Number • General Rule -- A person may not • Require an individual to use his or her SSN to access an internet site unless a password, a unique number, or another authentication device is also required • Print an SSN number on material mailed to the individual unless • Local, state, or federal law expressly authorizes the placement or • The number is included on an application or form to establish, amend, or terminate an account, contract, or policy, or to confirm the accuracy of the SSN, so long as the SSN is not printed on a postcard or in a manner that does not require opening of an envelope to view it.
Personal Information Protection Act • Request and collection of SSN • General Rule: A person who does business in the state, including the business of government, may not request or collect an individual’s SSN.
Personal Information Protection Act • Request and collection of SSN • Exceptions • Expressly authorized by local, state, or federal law • Government agency and the request or collection is authorized by law or the request or collection is required for the performance of the government’s duties • To a financial institution subject to the Gramm-Leach-Bliley Financial Modernization Act
Personal Information Protection Act • Request and collection of SSN • Exceptions • To or from a consumer reporting agency • For background check, law enforcement purposes, individual’s employment purpose • Incidental to a larger transaction and necessary to verify the identity of the individual • The disclosure cannot have an independent economic value
Personal Information Protection Act • No sale, lease, loan, trade or rent of an SSN unless authorized by law • No disclosure of SSN to a 3rd party, unless • Authorized by law • Government and authorized or required for performance of duties • Financial institution subject to Gramm-Leach-Bliley • Consumer reporting agency • Background check
Personal Information Protection Act • Interagency disclosure between government agencies permissible if required to carry out other agency’s duties or responsibilities • Employment purpose disclosure • A person may disclose the SSN to an employee or agent, including an independent contractor, of a person for a legitimate business purpose • For claim, benefit, or employment processing purpose
Personal Information Protection Act • Authorized by law • Includes agency adopting regulations to identify when it may print an SSN on material, demand proof of SSN, ask an individual to provide SSN, disclose to a 3rd party, or sell, lease, loan, trade, or rent and SSN to a 3rd party • Immediate effective date
Personal Information Protection Act • Penalties • Knowing violation – civil penalty not to exceed $3,000 • Private cause of action • Actual damages • Court costs • Reasonable attorney fees • Knowingly • Aware that the conduct exists is of the nature or that the circumstance exists (See AS 11.81.900)
Personal Information Protection Act • Article 4 – Disposal of Records
Personal Information Protection Act • Article 4 -- Disposal of Records • Definitions • Business – a person who conducts business in the state or a person who conducts business and maintains or otherwise possesses personal information on state residents • Conducts business defined inclusively (financial institutions and those that hold a license or authorization certification from the state)
Personal Information Protection Act • Definitions • Governmental Agency • State or local government agency, except for the judicial branch • Dispose • Discard or abandon records • Sale, donate, discard, or transfer devices
Personal Information Protection Act • Definitions • Personal information • Passport number, driver’s license number, state ID, bank account, credit, debit, or other payment card number, financial account information, information from a financial application – or • A combination of an individual’s name, address, or telephone number and medical information, insurance policy number, employment information, or employment history
Personal Information Protection Act • Definitions • Records – material on which information is written, drawn, spoken, visual, or electromagnetic is recorded or preserved • Does not include publicly available information containing names, addresses, telephone numbers, or other information an individual has voluntarily consented to have public disseminated or listed • E.G. – phone books, MySpace pages?
Personal Information Protection Act • Article 4 – Disposal of Records • Rule: When disposing of records that contain personal information, a business and a governmental agency shall take reasonable measures to protect against unauthorized access to or use of records • If hire a third party engaged in business of record destruction (following due diligence standard), not liable after relinquish records • Also not liable once release records to the individual whom the record pertains
Personal Information Protection Act • Exception -- A business or governmental agency is not required to comply with Article 4 if • Federal law requires the agency to act in a way that does not comply with Article 4 • The business is subject to the Gramm-Leach-Bliley Financial Modernization Act • The manner of disposal of records is subject to the Fair Credit Reporting Act and in compliance with 15 U.S.C. 1861w • No apparent HIPAA exception • Also likely not inconsistent
Personal Information Protection Act • Measures to protect access include • (Requirement) Implementing and monitoring compliance with policies and procedures that require • the burning, pulverizing, or shredding of paper documents • Destruction or erasure of electronic media and other non-paper media • After due diligence, entering into a written contract with a third party in the business of record construction
Personal Information Protection Act • Due diligence in selecting third party • Reviewing an independent audit of 3rd party’s operations • Check with several references and requiring certification by a trade organization with high standards of review or • Reviewing and evaluating the 3rd party’s information security policy and procedures or taking other measures to determine competency and integrity
Personal Information Protection Act • Penalties • Knowing violation – civil penalty to the state not to exceed $3,000 • Private cause of action to enjoin action • Actual damages • Court costs • Attorney fees • Same knowingly definition as above
Personal Information Protection Act • Article 5 – Factual Declaration of Innocence after Identity Theft, Right to File Police Report Regarding Identity Theft
Personal Information Protection Act • A victim of identity theft, the State, or the court may petition for declaration of innocence if • Perpetrator arrested, cited, or convicted • Criminal complaint filed against perpetrator, and • Victim’s identity mistakenly associated with record of conviction for a crime • Reasonable doubt standard
Personal Information Protection Act • Also right to file police report regarding identity theft
Personal Information Protection Act • Article 6 – Truncation of Card Information
Personal Information Protection Act • Truncation of Card Information • Rule: A person who accepts credit or debit cards for the transaction of business may not print more than the last four digits of the expiration date on the receipt or physical record of the transaction • Applies only to electronically printed (not hand written or imprint) receipts • No longer sell a device in the state after Jan 1, 2009 that electronically prints more than last 4 digits
Personal Information Protection Act • Penalties • Knowing violation -- Liable to the State for a civil penalty not to exceed $3,000 • Private cause of action • Actual damages of $5,000 – whichever is greater • Court costs • Attorney fees • Same knowingly standard as above
Personal Information Protection Act • Questions?