On June 13, 2008, HB 65 was signed into law requiring entities that have experienced data security breaches involving personal information of Alaska residents to notify said affected individuals of the breach. The Alaska law goes into effect July 1, 2009.
Personal information is defined as information in any form on an individual that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of an individual's name (first name or first initial and last name) and one or more of the following information elements:
(a) Social Security number;
(b) Driver's license number or state identification card number;
(c) Account number, credit card number or debit card number, combined with any security code, access code, personal identification number or password needed to access an account; or
(d) Passwords, personal identification numbers, or other access codes for financial accounts.
The law is applicable to any person, governmental agency or person with more than 10 employees that owns or licenses personal information in any form (“information collector”) in Alaska that includes personal information on an Alaska resident. If a breach of the security of the information system that contains personal information occurs, the information collector shall, after discovering or being notified of the breach, disclose the breach to each state resident whose personal information was subject to the breach.
An information collector shall make the disclosure
(a) By a written document sent to the most recent address the information collector has for the state resident;
(b) By electronic means if the information collector's primary method of communication with the state resident is by electronic means or if making the disclosure by the electronic means is consistent with the provisions regarding electronic records and signatures required for notices legally required to be in writing; or
(c) If the information collector demonstrates that the cost of providing notice would exceed $150,000, that the affected class of state residents to be notified exceeds 300,000, or that the information collector does not have sufficient contact information to provide notice, by:
1. electronic mail if the information collector has an electronic mail address for the state resident;
2. conspicuously posting the disclosure on the Internet website of the information collector if the information collector maintains an Internet website; and
3. providing a notice to major statewide media.
In the event an information collector is required to notify more than 1,000 state residents of a breach, the information collector shall also notify without unreasonable delay all consumer credit reporting agencies that compile and maintain files on consumers on a nationwide basis and provide the agencies with the timing, distribution, and content of the notices to state residents.
If an information collector who is a governmental agency violates the statute with regard to the personal information of a state resident, the information collector is liable to the state for a civil penalty of up to $500 for each state resident who was not notified, but the total civil penalty may not exceed $50,000; and may be enjoined from further violations.
If an information collector who is not a governmental agency violates the statute with regard to the personal information of a state resident, the information collector is liable to the state for a civil penalty of up to $500 for each state resident who was not notified, but the total civil penalty may not exceed $50,000; and damages that may be awarded against the information collector are limited to actual economic damages that do not exceed $500; and are limited to actual economic damages.
Visit the state Web site
House Bill 65