Alaska

Data Breach Notification Statute

Highlights

Covered Entities: Persons doing business, persons with more than ten (10) employees, government agencies, and other entities that owns or licenses personal information.  

Consumer Notification: Notification must be provided to any Alaska resident whose unencrypted personal information was, or is reasonably believed to have been, acquired without authorization where the acquisition compromises the security, confidentiality, and integrity of the personal information.

Regulatory Notification: Notification must be provided to the Alaska Attorney General if following appropriate investigation, the entity determines that consumer notification is not required because there is no reasonably likelihood that harm to consumers has or will result from the breach. If more than 1000 Alaska residents are notified, notice also must be provided to all consumer reporting agencies.

Notification Timeline: Notification must be provided in the most expeditious time possible and without unreasonable delay except as necessary to determine the scope of the breach and restore the reasonable integrity of the information system or when an appropriate law enforcement agency determines that disclosing the breach will interfere with a criminal investigation.

Data Format: Electronic and physical.

Citations: Alaska Stat. Ann. §§ 45.48.010 to 45.48.090

More Details

Definitions:

  • Breach: Unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the entity.
  • Personal Information (PI):
    • An individual’s first name or first initial and last name in combination with any one or more of the following data elements:
      • Social Security number;
      • Driver’s license number or state identification card number;
      • Account number, credit card number, or debit card number if it can be used to access an account without a security code, access code, or password;
      • Passwords, personal identification numbers, or other access codes for financial accounts.
  • Medical Information: N/A
  • Health Insurance Information: N/A 

Safe Harbors:

  • Encryption: Notification is not required when the PI is encrypted or redacted, so long as the encryption key was not accessed or acquired.
  • Good Faith: Notification is not required if an employee or agent of the entity acquires personal information in good faith for a legitimate purpose of the entity, provided the employee or agent does not use the PI for a purpose unrelated to a legitimate purpose of the entity and does not make further unauthorized disclosure of the PI.
  • Risk of Harm: Notification is not required if, after an appropriate investigation and after written notice to the Alaska Attorney General, the subject entity determines there is no reasonable likelihood that harm to the consumers whose personal information has been acquired has resulted or will result from the breach. The analysis must be documented in writing and maintained for 5 years.
  • Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by the statute must be made in the most expeditious time possible and without delay after the law enforcement agency informs the entity that notification will no longer impede the investigation.

Direct Notice:

  • Timing: Notification must be provided in the most expeditious time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the information system.
  • Format: N/A
  • Content: N/A
  • Method: Notification letters must be provided by one of the following methods: (1) written notice to the most recent address the entity has for the individual; or (2) electronic notice if the entity’s primary method of communication with the Alaska resident is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. §7001 (E-Sign Act).

Substitute Notice:

An entity may provide substitute notice if the cost of providing notice would exceed $150,000, the affected class of state residents exceeds 300,000, or the entity lacks sufficient contact information. Such notice must include (1) email notice if the entity has email addresses for the Alaska resident subject to the notice; (2) conspicuous posting of the notice to the entity’s website; and (3) notice to major statewide media.

Remediation Services:

N/A 

Regulatory Notice:

Notification must be made to the Alaska Attorney General if the entity determines, following appropriate investigation, there is no reasonable likelihood that harm to the consumers whose personal information has been acquired has resulted or result from breach.

Credit Reporting Agencies Notice:

Notification must be made to all consumer credit reporting agencies that compile and maintain files on consumers on a nationwide basis if more than 1,000 Alaska residents are required to be notified. Such notification must be completed without unreasonable delay and the agencies must be provided with the timing, distribution, and content of the notices to Alaska residents. Entities subject to the Gramm-Leach-Bliley Act are exempt from the requirement to notify consumer reporting agencies.

Third-Party Notice:

If a breach of the security of the information system containing PI on an Alaska resident is maintained by a third-party entity that does not own or license the PI, the third-party entity shall notify the entity that owns or licensed the use of the PI about the breach and cooperate as necessary to allow the entity that owns or licensed the use of the PI to comply with the statute.

HIPAA:

N/A

Private Action:

A person injured by a breach may bring an action against a non-governmental entity Alaska Stat. §§ 45.48.010 to 45.48.090.

Associated Regulations:

N/A

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek