Alaska Stat. § 45.48.010 et seq.
H.B. 65 (signed into law June 13, 2008, Chapter 92 SLA 08)
Effective July 1, 2009
Application. Any person, state, or local governmental agency (excepting the judicial branch), or person with more than 10 employees (collectively, Entity) that owns or licenses PI in any form in AK that includes PI of an AK resident.
- The provisions governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining information on state residents, whether or not the Entity conducts business in AK.
Security Breach Definition. An unauthorized acquisition or reasonable belief of unauthorized acquisition of PI that compromises the security, confidentiality, or integrity of the PI maintained by the Entity. Acquisition includes acquisition by photocopying, facsimile, or other paper-based method; a device, including a computer, that can read, write, or store information that is represented in numerical form; or a method not identified in this paragraph.
- Good-faith acquisition of PI by an employee or agent of the Entity for a legitimate purpose of the Entity is not a breach of the security of the information system if the employee or agent does not use the PI for a purpose unrelated to a legitimate purpose of the Entity and does not make further unauthorized disclosure of the PI.
Notification Obligation. Any Entity to which the statute applies shall disclose the breach to each AK resident whose PI was subject to the breach after discovering or being notified of the breach.
Notification is not required if, after an appropriate investigation and after written notification to the state AG, the Entity determines that there is not a reasonable likelihood that harm to the consumers whose PI has been acquired has resulted or will result from the breach. The determination shall be documented in writing and the documentation shall be maintained for five years.
Notification of Consumer Reporting Agencies. If an Entity is required to notify more than 1,000 AK residents of a breach, the Entity shall also notify without unreasonable delay all consumer credit reporting agencies that compile and maintain files on consumers on a nationwide basis and provide the agencies with the timing, distribution, and content of the notices to AK residents. Entities subject to the Gramm-Leach-Bliley Act are exempt from this requirement and are not required to notify consumer reporting agencies.
Third-Party Data Notification. If a breach of the security of the information system containing PI on an AK resident that is maintained by an Entity that does not own or have the right to license the PI occurs, the Entity shall notify the Entity that owns or licensed the use of the PI about the breach and cooperate as necessary to allow the Entity that owns or licensed the use of the PI to comply with the statute.
Timing of Notification. The disclosure shall be made in the most expeditious time possible and without unreasonable delay consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the information system.
Personal Information Definition. Information in any form on an individual that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of an individual’s first name or first initial and last name in combination with any one or more of the following data elements:
- Social Security Number;
- Driver license number or state identification card number; or
- Account number or credit card number or debit card number, except if these can only be accessed with a personal code, then the account, credit card, or debit card number in combination with any required security code, access code, or password;
- Passwords, personal identification numbers, or other access codes for financial accounts.
Notice Required. Notice may be provided by one of the following methods:
- Written notice;
- Telephonic notice; or
- Electronic notice if the Entity’s primary method of communication with the AK resident is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).
Disclosure is not required if, after an appropriate investigation and after written notification to the attorney general, the Entity determines that there is not a reasonable likelihood that harm to the consumers whose personal information has been acquired has resulted or will result from the breach. The determination shall be documented in writing, and the documentation shall be maintained for five years. The notification required may not be considered a public record open to inspection by the public.
Substitute Notice Available. If the Entity can demonstrate that the cost of providing notice will exceed $150,000 that the affected class of persons to be notified exceeds 300,000, or that the Entity does not have sufficient contact information to provide notice. Substitute notice shall consist of all of the following:
- Email notice if the Entity has email addresses for the state resident subject to the notice;
- Conspicuous posting of the notice on the Web site of the Entity if the Entity maintains one; and
- Notification to major statewide media.
Penalties. An Entity is liable to the state for a civil penalty of up to $500 for each state resident who was not notified (the total penalty may not exceed $50,000) and may be enjoined from further violations.
Other Key Provisions:
- Delay for Law Enforcement. Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by the statute must be made after the law enforcement agency determines that notification will no longer impede the investigation.
- Private Right of Action. A person injured by a breach may bring an action against a non-governmental Entity.
- Waiver Not Permitted.