Alaska Data Breach Law - Data Breach Laws by U.S. State - Documentation Exp

Alaska's Personal Information Protection Act is the law overseeing data breach notifications in the state. This law applies to businesses with more than 10 employees that own, license or maintain covered information and suffer a "breach of security" involving the covered information of Alaska's residents.

Under Alaska's law, a breach of security means:

"unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the information collector..."

That said, good-faith data acquisitions by employees or agents for legitimate purposes are exempt from this definition.

Notification Requirements

If a breach of security occurs, Alaska's law requires you to notify affected consumers as soon as possible and without unreasonable delay. In other words, Alaska's law doesn't specify a concrete timeframe for notifying consumers.

Notification applies whether or not the information has been accessed by an unauthorized third party for legal or illegal purposes:

alaska-data-breach-notification-law-disclosure-security-section
Alaska Data Breach Notification Law: Disclosure of breach of security section

You can send notifications to consumers using either written or electronic notice in compliance with the E-SIGN Act.

If affected consumers exceed 1,000, you must also notify all consumer credit reporting agencies immediately. Your notice must include details about the timing and content of the notification sent to consumers.

Some important caveats to take note of:

You can delay notification if Alaska's law enforcement decides that it would compromise a criminal investigation.
You can use substitute notices like sending emails, posting the breach on your website, or notifying a state-wide media agency if any of the following is true:
- The cost of sending notices exceeds $250,000,
- The number of affected consumers exceeds 500,000, or
- You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

Alaska's data breach law protects "personal information" in both electronic and paper form.

It defines personal information as:

An Alaska resident's first name or first initial and last name combined with at least one of the following data elements when the name or information are not redacted or encrypted:

Social Security number

Driver's license number or state ID card number

Financial accounts or credit/debit card numbers on their own if no access code is required to use them

Passwords, PINs, and other account access information

Any of the above if sufficient to steal or attempt to steal a person's identity

Penalties for Non-Compliance

Non-compliance with Alaska's data breach notification law attracts civil penalties of up to $500 for each resident not notified. Fines are capped at $50,000 per incident.