Alaska Data Breach
Alaska Stat. § 45.48.010 – § 45.48.090
EFFECTIVE. July 1, 2009
WHO DOES THIS LAW APPLY TO. (1) Any person, business, or government agency that owns or licenses Personal Information on a State resident; and (2) any person, business, or government agency that maintains Personal Information on a State resident.
WHAT IS A BREACH. Unauthorized acquisition of Personal Information that compromises the security, integrity, or confidentiality of Personal Information maintained by a person, business, or government agency.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted or redacted, or is encrypted but the encryption key has been accessed or acquired:
-
Social Security Number;
-
Driver’s license number or State identification card number; or
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the State residents affected. No notification is required if the person, business, or government agency, after a reasonable investigation and notification to the Attorney General, determines that it is unlikely the consumers involved will be harmed as a result of the breach. Such a determination must be in writing and maintained for five years.
If more than 1,000 Alaska residents are involved in a breach, the person, business, or government agency shall also notify (without reasonable delay) all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the timing, distribution, and content of the notice. Such notice shall not include the names of the State residents involved or their Personal Information.
EXCEPTION. A good faith acquisition of Personal Information by an employee or agent of the owner or licensor for internal purposes only is not a breach, if it is not used for an unlawful purpose or subject to further unauthorized disclosure. This Section does not apply to those who are subject to Title V of the Federal Gramm-Leach Bliley Financial Modernization Act.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person, business, or government agency discovers or is notified of a security breach. The disclosure shall be made in the most expedient manner possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines it will impede a criminal investigation, and such delay is requested in writing. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written (to the most recent known address).
-
Electronic (if it is the primary means of communication or notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person, business, or government agency can demonstrate that the cost of providing notice will exceed $150,000, the affected class of persons to be notified exceeds 300,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person or business if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person, business, or government agency maintains Personal Information that it does not own, then the person, business, or government agency shall notify and cooperate with the owner or licensor immediately upon discovery of the breach. Cooperation shall include sharing information relevant to the breach but excludes confidential business or trade secret information. The person, business, or government agency that owns or licenses the Personal Information shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. Government agencies which violate this Section shall be liable to the State for a civil penalty of up to $500 per resident that it failed to notify, not to exceed $50,000. In addition, it may be subject to a court order to prevent further violations.
Violations to this Section by a person or business shall be considered an unfair or deceptive act or practice. The person or business shall be liable to the State for a civil penalty of up to $500 per resident that it failed to notify, not to exceed $50,000. In addition, actual economic damages may be awarded.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES. None provided in the statute.
DATA DISPOSAL PROVISIONS. Alaska Stat. § 45.48.500: Trade and Commerce; Disposal of Records; Disposal of records. Businesses and agencies disposing of records containing “personal information” must take reasonable measures to protect against unauthorized access. Third-party vendors may be used but must be subject to reasonable due diligence. Businesses subject to and in compliance with the Gramm-Leach Bliley Act are exempt from this law.
LEGISLATIVE UPDATES.
H.B. 65 – Signed into law on 6/13/2008, Effective 7/1/2009.
For more information, see here: http://www.legis.state.ak.us/basis/folioproxy.asp?url=http://wwwjnu01.legis.state.ak.us/cgi-bin/folioisa.dll/stattx09/query=45!2E48!2E010/doc/{@1}?firsthit
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.