This is another in our series of articles about data protection laws around the country. The focus for this post is on Alaska.
On June 19, 2008, Alaska became the 44th state with a breach notification law when then-Governor Sarah Palin signed HB 65, the Alaska Personal Information Protection Act (“Alaska Act”). Most of the Alaska Act became effective on July 1, 2009. The Alaska Act contains a number of articles, including ones on breach notification,[1] credit report and credit score security freeze,[2]protection of social security numbers,[3] secure disposal of records,[4] and truncation of printed card information.[5]
With some variations, the Alaska Act’s breach notification provisions are similar to California’s SB 1386.[6] A business or governmental agency must notify Alaska residents concerning security breaches compromising their “personal information.”[7] A “breach of the security” means “any unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information.”[8] This definition is similar to that of SB 1386.
The Alaska Act’s breach notification differs from California’s SB 1386. For instance, the Alaska Act applies to “personal information in any form,”[9] which includes paper information, while SB 1386 is limited to “computerized data.” In addition, no disclosure is necessary if, after investigation, “there is not a reasonable likelihood that harm to the consumers . . . has resulted or will result from the breach,” although the attorney general must still be informed of the breach. The covered person must document this determination in writing and maintain the documentation for five years.[10]
Finally, the Alaska Act has a more nuanced scope of coverage than SB 1386. It covers any person “doing business” (not necessarily in Alaska), “governmental agency,” or “person with more than 10 employees” that owns or licenses personal information about Alaska residents (called “information collectors”). “Information collectors” may include those who own the personal information and provide it under license to others, called “information distributors,” as well as those receiving the information under license, called “information recipients.”[11] Presumably, “information distributors” and “information recipients” are involved in situations such as outsourcing, where a covered entity collects the information but provides it to a service provider. If a security breach affects an “information recipient,” then the duty to notify falls on the “information distributor,” although the information recipient must cooperate with the information distributor to make the notification.[12]
The Alaska Act places various kinds of restrictions on communicating, printing, and transmitting Social Security Numbers.[13] Subject to various exceptions, businesses may not request of collect an individual’s Social Security number.[14] A person may also not sell Social Security numbers or disclose them to third parties, except for certain situations.[15] A knowing violation of the Social Security Number protection provisions triggers a civil penalty of up to $3,000 and the statute creates a private right of action for knowing violations.[16]
In addition, the Alaska Act requires that when businesses and governmental agencies dispose of records containing “personal information,” they must satisfy certain security requirements. Specifically, they must “take all reasonable measures necessary to protect against unauthorized access to or use of the records.”[17] The statute gives examples of security measures, whichmay include shredding paper, erasure of electronic media “so that the personal information cannot practicably be read or reconstructed,” and using a third party specialist in records destruction under a written contract with the covered person.[18] Similar to the Social Security protections, a knowing violation of this article triggers a civil penalty of up to $3,000. Individuals sustaining damages have a private right of action to recover damages for any violations (even violations not knowingly made).[19]
Finally, the Alaska Act requires businesses accepting credit cards or debit cards to truncate card numbers displayed on printed receipts. They may not print more than the last four digits of the card number and may not print the card expiration date on the receipt.[20]
[1] Alaska Stat. §§ 45.48.010-45.48.090.
[2] Id. §§ 45.48.100-45.48.290.
[3] Id. §§ 45.48.400-45.48.480.
[4] Id. §§ 45.48.500-45.48.590.
[5] Id. § 45.48.750.
[6] Cal. Civil. Code §§ 1798.29, 1798.82.
[7] Alaska Stat. § 45.48.010(a).
[8] Id. § 45.48.090(1).
[9] Alaska Stat. § 45.48.010(a).
[10] Id. § 45.48.010(c).
[11] Id. § 45.48.090(2), (4), (5), (6).
[12] Id. § 45.48.070(a).
[13] Alaska Stat. § 45.48.400.
[14] Id. § 45.48.410.
[15] Id. §§ 45.48.420-45.48.430.
[16] Id. § 45.48.480.
[17] Id. § 45.48.500.
[18] Id. § 45.48.510.
[19] Id. §§ 45.48.550-45.48.560.
[20] Id. § 45.48.750.