Lawyer Publications

Alaska Stat. § 45.48.010 et seq.

H.B. 65 (signed into law June 13, 2008, Chapter 92 SLA 08)

Effective July 1, 2009

Application. Any person doing business, governmental agency (excepting the judicial branch), or person with more than 10 employees (collectively, Entity) that owns or licenses PI in any form in AK that includes PI of an AK resident.

Security Breach Definition. An unauthorized acquisition or reasonable belief of unauthorized acquisition of PI that compromises the security, confidentiality, or integrity of the PI maintained by the Entity. Acquisition includes acquisition by photocopying, facsimile, or other paper-based method; a device, including a computer, that can read, write, or store information that is represented in numerical form; or a method not identified in this paragraph.

  • Good-faith acquisition of PI by an employee or agent of the Entity for a legitimate purpose of the Entity is not a breach of the security of the information system if the employee or agent does not use the PI for a purpose unrelated to a legitimate purpose of the Entity and does not make further unauthorized disclosure of the PI.

Notification Obligation. An Entity to which the statute applies shall disclose the breach to each AK resident whose PI was subject to the breach.

  • Notification is not required if, after an appropriate investigation and after written notification to the state Attorney General, the Entity determines that there is not a reasonable likelihood that harm has resulted or will result from the breach. The determination shall be documented in writing and the documentation shall be maintained for 5 years.

Notification of Consumer Reporting Agencies. If an Entity is required to notify more than 1,000 AK residents of a breach, the Entity shall also notify without unreasonable delay all nationwide consumer credit reporting agencies of the timing, distribution, and content of the notices to AK residents.

  • Entities subject to the Gramm-Leach-Bliley Act are exempt from this requirement and are not required to notify consumer reporting agencies.

Third-Party Data Notification. If an Entity experiences a breach of the security of PI on an AK resident that the Entity does not own or license, the Entity shall notify the Entity that owns or licensed the use of the PI about the breach and cooperate as necessary to allow the Entity that owns or licensed the use of the PI to comply with the statute.

Timing of Notification. Notification shall be made in the most expeditious time possible and without unreasonable delay consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the information system.

Personal Information Definition. Information in any form on an individual that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of an individual’s first name or first initial and last name in combination with any one or more of the following data elements:

  • Social Security number;
  • Driver’s license number or state identification card number;
  • Account number, credit card number, or debit card number, except if these can only be accessed with a personal code, then the account, credit card, or debit card number in combination with any required security code, access code, or password; or
  • Passwords, personal identification numbers, or other access codes for financial accounts.

Notice Required. Notice may be provided by one of the following methods:

  • Written notice to the most recent address the Entity has;
  • Telephonic notice; or
  • Electronic notice, if the Entity’s primary method of communication with the AK resident is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-Sign Act).

Substitute Notice Available. If the Entity can demonstrate that the cost of providing notice will exceed $150,000, that the affected class of persons to be notified exceeds 300,000, or that the Entity does not have sufficient contact information to provide notice. Substitute notice shall consist of all of the following:

  • Email notice, if the Entity has email addresses for the state resident subject to the notice;
  • Conspicuous posting of the notice on the website of the Entity, if the Entity maintains one; and
  • Notification to major statewide media.

Penalties.

  • An Entity that is a governmental agency is liable to the state for a civil penalty of up to $500 for each state resident who was not notified (the total penalty may not exceed $50,000) and may be enjoined from further violations.
  • An Entity that is not a governmental agency is liable to the state for a civil penalty of up to $500 for each state resident who was not notified (the total civil penalty may not exceed $50,000).

Other Key Provisions:

  • Delay for Law Enforcement. Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by the statute must be made after the law enforcement agency determines that notification will no longer impede the investigation.
  • Private Right of Action. A person injured by a breach may bring an action against a non-governmental Entity.
  • Waiver Not Permitted.