Alaska
|
Click here to review text of state statute |
Information Covered / Important Definitions
Information covered:
Personal information of Alaska residents.
Definition includes usernames and passwords, personal identification numbers (“PINs”), or other access codes for financial accounts.
Important definitions:
“Security Breach” means an unauthorized acquisition or reasonable belief of unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of the personal information maintained.
“Acquisition” means any method of acquisition, including by photocopying, facsimile, or other paper-based method, or a device, including a computer, that can read, write, or store information that is represented in numerical form.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person doing business in Alaska and any person with more than ten employees.
Third party recipients:
Third parties maintaining personal information on behalf of a covered entity must notify covered entity about a breach and cooperate as necessary to allow covered entity to comply with statute. The covered entity must satisfy all further notification obligations under the statute.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach in the most expeditious time possible and without unreasonable delay, unless law enforcement agency determines that disclosure will interfere with a criminal investigation (in which case notification delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $150,000, affected class exceeds 300,000 persons, or covered entity has insufficient contact information.
- Notice not required if, after an investigation and written notice to the attorney general, the entity determines that there is not a reasonable likelihood of harm to the consumers whose personal information was acquired. The determination must be documented in writing and maintained for five years.
Other obligations:
Any covered entity that must notify more than 1,000 residents at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies. This section does not apply to entities subject to Title V of the Gramm-Leach-Bliley Act of 1999 (“GLBA”).
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal information that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted.
Safe harbor not available if the personal information is encrypted but the encryption key has been accessed or acquired.
Other exemptions:
Exemption for good faith acquisition by an employee or agent of covered entity so long as personal information is used for a legitimate purpose of employer and is not subject to further unauthorized disclosure.
Notification to Regulator / Waiver
A determination of no likelihood of harm:
Requires written notification to attorney general.
A waiver of the statute is void and unenforceable.
Penalties
Violations by non-governmental entities constitute unfair or deceptive acts or practices under AS 45.50.471 - 45.50.561. Such entities are liable for civil penalties up to $500 per resident who was not properly notified, with the total civil penalty not to exceed $50,000.
Damages awarded under AS 45.50.531 are limited to actual economic damages that do not exceed $500, and damages awarded under AS 45.50.537 are limited to actual economic damages.
Private Cause of Action / Enforcement
Private Cause of Action: Yes.
A person injured by a breach may bring an action against a non-governmental entity.
The Department of Administration may enforce violations by governmental entities.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
|
Click here to review text of state statute |