The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statute
Covered Entities: Persons, businesses, entities with more than ten (10) employees, government agencies, and other entities that acquire, use, or maintain personal information.
Consumer Notification: Notification must be provided to any Alaska resident whose unencrypted personal information was, or is reasonably believed to have been, acquired without authorization.
Regulatory Notification: Notification must be provided to the Alaska Attorney General if the entity determines that consumer notification is not required because there is no reasonably likelihood that harm to consumers has or will result from the breach.
Notification Timeline: Notification must be provided in the most expeditious time possible and without unreasonable delay except as necessary to determine the scope of the breach and restore the reasonable integrity of the information system.
Data Format: Electronic and physical.
Citations: Alaska Stat. Ann. §§ 45.48.010 to 45.48.090
- Breach: Unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the entity.
- Personal Information (PI): An individual’s first name or first initial and last name in combination with any one or more of the following data elements:
- Social Security number;
- Driver’s license number or state identification card number;
- Account number, credit card number, or debit card number if it can be used to access an account without a security code, access code, or password;
- Passwords, personal identification numbers, or other access codes for financial accounts.
- Medical Information: N/A
- Health Insurance Information: N/A
- Encryption: Notification is not required when the PI is encrypted or redacted, so long as the encryption key was not accessed or acquired.
- Good Faith: Notification is not required if an employee or agent of the entity acquires personal information in good faith for a legitimate purpose of the entity, provided the employee or agent does not use the PI for a purpose unrelated to a legitimate purpose of the entity and does not make further unauthorized disclosure of the PI.
- Risk of Harm: Notification is not required if, after an appropriate investigation, the subject entity determines there is no reasonable likelihood that harm to the consumers whose personal information has been acquired has resulted or result from breach. The analysis must be documented in writing and maintained for 5 years.
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by the statute must be made after the law enforcement agency determines that notification will no longer impede the investigation.
- Timing: Notification must be provided in the most expeditious time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the information system.
- Format: N/A
- Content: N/A
- Method: Notification letters must be provided by one of the following methods: (1) written notice to the most recent address the entity has for the individual; or (2) electronic notice if the entity’s primary method of communication with the Alaska resident is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. §7001 (E-Sign Act).
An entity may provide substitute notice if the cost of providing notice would exceed $150,000, the affected class of state residents exceeds 300,000, or the entity lacks sufficient contact information. Such notice must include (1) email notice if the entity has email addresses for the Alaska resident subject to the notice; (2) conspicuous posting of the notice to the entity’s website; and (3) notice to major statewide media.
Notification must be made to the Alaska Attorney General if the entity determines there is no reasonable likelihood that harm to the consumers whose personal information has been acquired has resulted or result from breach.
Credit Reporting Agencies Notice:
Notification must be made to all consumer credit reporting agencies that compile and maintain files on consumers on a nationwide basis if more than 1,000 Alaska residents are required to be notified. Such notification must be completed without unreasonable delay and the agencies must be provided with the timing, distribution, and content of the notices to Alaska residents. Entities subject to the Gramm-Leach-Bliley Act are exempt from the requirement to notify consumer reporting agencies.
If a breach of the security of the information system containing PI on an Alaska resident is maintained by a third-party entity that does not own or license the PI, the third party entity shall notify the entity that owns or licensed the use of the PI about the breach and cooperate as necessary to allow the entity that owns or licensed the use of the PI to comply with the statute.
A person injured by a breach may bring an action against a non-governmental entity Alaska Stat. §§ 45.48.010 to 45.48.090.