Alaska State Data Breach Notification Laws Overview

The document provided is an overview of the State Data Breach Law. It is not a substitute for advice from an attorney, but meant to be used as a business tool to help educate and start conversations between business, IT and council. I hope you find it helpful. Please let me know if you have any questions or comments.

 
soleprop.JPG
 

Who must comply?

  • Person doing business

  • Governmental agency (except for agency of the judicial branch)

  • Person with more than 10 employees

 
WhatsCovered.JPG
 

What Data is Covered?

Personal Information

First initial or name with last name combined with any one of the following:

  • Social Security number

  • Driver's license number, state-issued identification card number

  • Account number, credit card number, or debit card number (exclusion provided for accounts that require an access/security code, PIN or password)

  • Passwords, PIN, or other access codes for financial accounts.

 
Encryption.JPG
 

Exclusions

Public, Encrypted, Truncated & De-Identified PI

  • Encrypted or redacted data when the encryption key has not been accessed or acquired.

  • Disclosure is not required if, after an appropriate investigation and after written notification to the attorney general, it is determined that there is not a reasonable likelihood that the consumers whose personal information has been acquired has or will result in harm as a result of the breach.

    • The determination shall be documented in writing and maintained for five years.

  • Good faith acquisitions of PI by an employee or agent of an information collector for a legitimate purpose is not a breach if the employee or agent does not use the personal information for a purpose unrelated to a legitimate purpose and does not make further unauthorized disclosure of the PI.

 
Databreach.JPG
 

What is a breach?

Reasonable belief of an unauthorized acquisition of PI

Unauthorized acquisition, or reasonable belief of unauthorized acquisition, of an Alaska resident’s personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the information collector; this includes acquisition by paper-based methods, electronic devices or pretty much any method.

 
Compliance.JPG
 

How to Comply

Post Breach Compliance

  • Notice to the individual should happen in the most expeditious time possible and without unreasonable delay subject to the needs of law enforcement.

  • Exceptions provided if it is necessary to delay notification in order to determine the scope of the breach and restore the reasonable integrity of the information system.

 
Notice.JPG
 

Notice Requirements

Post Breach Compliance

  • Requirements for notice

o   Written document or electronic document (Determination of  appropriate method required.)

o   The content of the notice is not specified

  • Substitute provisions can be considered if the cost of providing notice is expected to exceed $150,000, affected individuals exceeds 100,000 people or the entity has insufficient contact information to provide notice.

  • If a breach impacts more than 1,000 individuals, the entity must notify all nationwide consumer reporting agencies with the timing, distribution and content of the notices.

  • Third parties who collect or maintain information, but do not own or have the right to license to another entity must notify the information owner or entity who licensed the use of the personal information immediately. The information distributor is designated as the entity responsible for complying with the statute.

 
Sanctions.JPG
 

Sanctions and Remedies

  • Violations (including government agencies) are subject to a penalty of up to $500 for each consumer who was not provided notice, up to a maximum penalty of $50,000. 

  • In addition, an injured person may bring an action against a non-governmental agency to collect actual economic damages that do not exceed $500.

 
Credit.JPG
 

Credit Reporting Provisions

  • A consumer may place a freeze on their credit report or credit score.

  • While a security freeze is in place, a consumer credit reporting agency shall allow a third-party access to a consumer's credit report or credit score if the consumer requests that the consumer credit reporting agency allow the access.

  • When dealing with a third party, a consumer credit reporting agency may not suggest, state, or imply that a consumer's security freeze reflects a negative credit score, history, report, or rating.

  • A consumer credit reporting agency may charge a consumer $5 for placing a security freeze.

  • A consumer credit reporting agency may charge the consumer $2 for each access request made by the consumer.

cybersecurity, PrivacyKelly Knecht SlovinacPrivacy, data breach, PIIComment