Alaska Breach Notification Law


Learn about Breach Notification Law in Alaska

Alaska Stat. § 45.48.010 et seq., passed under H.B. 65 and signed into law on June 13, 2008, went into effect July 1, 2009. Specific information pertaining to Alaska breach laws can be found in chapter 92, SLA 08. These requirements are referred to under the Personal Information Protection Act.

Legal Requirements

In Alaska, any individual, local or state agency, or situation where more than ten employees are presided over by a responsible party, constitute an entity affected by this law. This is provided they license PI of Alaska residents. Application of this law extends to businesses or individuals not local to Alaska, but who manage PI on residents in the state.

A security breach transpires when unauthorized PI is acquired which compromises a resident in terms of security, integrity, or confidentiality. This data is acquired from the entity responsible for the PI without that entity’s consent.

PI refers to information of any sort about an Alaskan resident which has no encryption, or which has not been redacted. It may be encrypted, but keys to such encryptions have become available through a breach. PI includes a first name and last name, or someone’s first initial and last name, and data associated with that name such as SSNs, personal ID numbers, state IDs, or driver’s licenses. Any account number of a financial kind, or password associated with an account, is also included. PINs, passwords, or other codes are PI.

Breach Notification and Reporting

In the event of PI breach, the entity must let any affected Alaska residents know. Entities aren’t required to report if they investigate in agreement with legal requirements and notify the AG. Regulatory agencies should be notified if more than 1,000 Alaska residents have PI affected by the breach. Primary consumer credit reporting groups need to be appraised of breach distribution, content affected, and associated timing. This disclosure must take place in a reasonable timeframe.

An entity that can demonstrate notification will cost more than $150,000, or that more than 300,000 AK residents have been affected, or there isn’t enough contact information on affected parties, can use email notices, conspicuous posts on entity-run websites, and major media notification.


Entities can be fined up to $500 per resident for those who aren’t notified. The maximum penalty that can be leveled is $50,000. This is a civil penalty paid to the state. Additional violations can be enjoined. In Alaska, private lawsuits are allowed.

Contact SCA to Learn More about Alaska Breach Notification Law

SCA has years of experience helping organizations across the United States to prevent and manage potential data breaches. Contact us today at 727-571-1141 to schedule a no-cost consultation. You can also download our free Data Breach Response Guide to learn more about breach notification law in your state.