Alaska Statute § 45.48.010 et seq
Type of Data Covered: Any form (electronic, physical, biometric, etc) of personal information, Alaska Stat. 45.48.010(a).
Is Breach Defined?
Yes! Alaska Stat. 45.48.090
"(1) “breach of the security” means unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the information collector; in this paragraph, “acquisition” includes acquisition by
(A) photocopying, facsimile, or other paper-based method;
(B) a device, including a computer, that can read, write, or store information that is represented in numerical form; or
(C) a method not identified by (A) or (B) of this paragraph"
When is notice required?
Notice is required, "within a reasonable time to determine the scope of the breach and restore integrity to the system," for all residents who had their personal information disclosed in the breach. Residents may receive notice in the mail or via electronic mail depending on the circumstances. See Alaska Stat. 45.48.030.
However, law enforcement may delay the notice to preserve the integrity of a pending investigation. Consumer credit reporting agencies are also supposed to receive notice if over 1,000 residents are impacted by the breach. See Alaska Stat. 45.48.040. Additionally, §45.48.010(c) limits the scope of the disclosure to the Attorney General's office if an investigation determines that there is "not a reasonable likelihood of harm" to the residents.
What are the penalties for non-compliance?
§45.48.080 lists penalties for government agencies up to $500 per resident but not exceeding a total of $50,000. For other entities the statutory damages are the same but it has some limitations on class action awards and attorney's fees.