|Alaska Stat. § 45.48.010 et seq. |
H.B. 65 (signed into law June 13, 2008, Chapter 92 SLA 08)
Effective July 1, 2009
|Application. Any person, state, or local governmental agency (excepting the judicial branch), or person with more than 10 employees (collectively, Entity) that owns or licenses PI in any form in AK that includes PI of an AK resident. |
Security Breach Definition. An unauthorized acquisition or reasonable belief of unauthorized acquisition of PI that compromises the security, confidentiality, or integrity of the PI maintained by the Entity. Acquisition includes acquisition by photocopying, facsimile, or other paper-based method; a device, including a computer, that can read, write, or store information that is represented in numerical form; or a method not identified in this paragraph.
- The provisions governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining information on state residents, whether or not the Entity conducts business in AK.
Notification Obligation. Any Entity to which the statute applies shall disclose the breach to each AK resident whose PI was subject to the breach after discovering or being notified of the breach.
- Good-faith acquisition of PI by an employee or agent of the Entity for a legitimate purpose of the Entity is not a breach of the security of the information system if the employee or agent does not use the PI for a purpose unrelated to a legitimate purpose of the Entity and does not make further unauthorized disclosure of the PI.
Notification of Consumer Reporting Agencies. If an Entity is required to notify more than 1,000 AK residents of a breach, the Entity shall also notify without unreasonable delay all consumer credit reporting agencies that compile and maintain files on consumers on a nationwide basis and provide the agencies with the timing, distribution, and content of the notices to AK residents. Entities subject to the Gramm-Leach-Bliley Act are exempt from this requirement and are not required to notify consumer reporting agencies.
- Notification is not required if, after an appropriate investigation and after written notification to the state AG, the Entity determines that there is not a reasonable likelihood that harm to the consumers whose PI has been acquired has resulted or will result from the breach. The determination shall be documented in writing and the documentation shall be maintained for five years.
Third-Party Data Notification. If a breach of the security of the information system containing PI on an AK resident that is maintained by an Entity that does not own or have the right to license the PI occurs, the Entity shall notify the Entity that owns or licensed the use of the PI about the breach and cooperate as necessary to allow the Entity that owns or licensed the use of the PI to comply with the statute.
Timing of Notification. The disclosure shall be made in the most expeditious time possible and without unreasonable delay consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the information system.
Personal Information Definition. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted or redacted or is encrypted and the encryption key has been accessed or acquired:
PI does not include publicly available information that is lawfully made available to the general public from the federal, state, or local government.
- Social Security Number;
- Number on a driver license or number on a state identification; or
- Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
Notice Required. Notice may be provided by one of the following methods:
Substitute Notice Available. If the Entity can demonstrate that the cost of providing notice will exceed $150,000 or that the affected class of persons to be notified exceeds 300,000. Substitute notice shall consist of all of the following:
- Written notice;
- Telephonic notice; or
- Electronic notice if the Entity’s primary method of communication with the AK resident is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).
Penalties. An Entity is liable to the state for a civil penalty of up to $500 for each state resident who was not notified (the total penalty may not exceed $50,000) and may be enjoined from further violations.
- Email notice if the Entity has email addresses for the state resident subject to the notice;
- Conspicuous posting of the notice on the Web site of the Entity if the Entity maintains one; and
- Notification to major statewide media.
Other Key Provisions:
- Delay for Law Enforcement. Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by the statute must be made after the law enforcement agency determines that notification will no longer impede the investigation.
- Private Right of Action. A person injured by a breach may bring an action against a non-governmental Entity.
- Waiver Not Permitted.