The Legal Framework for Data Protection in Alaska
The Alaska Personal Information Protection Act is a data privacy law that was passed in the U.S. state of Alaska in 2009. While the Alaska Personal Information Protection Act is not a comprehensive data protection law such as the Virginia Consumer Data Protection Act or the California Privacy Rights Act, the law does govern the collection and processing of certain categories of personal information. As such, the Alaska Personal Information Protection Act represents one of the foremost ways in which certain categories of personal data are legally protected at a state level within Alaska. Moreover, the law also establishes the sanctions and penalties that individuals, businesses, and organizations operating within the state of Alaska stand to face should they violate the various provisions of the law.
What are the provisions of the Alaska Personal Information Protection Act?
One of the primary provisions of the Alaska Personal Information Protection Act is Sec. 45.48.010 – .090, which pertains to data breach security. Under Sec. 45.48.010 – .090, a data breach is defined as “an unauthorized acquisition (or the reasonable belief of such) that compromises the security, integrity, or confidentiality of covered information. This excludes some good-faith acquisitions by employees or agents and applies to businesses with more than 10 employees or any person doing business with another entity who owns, licenses, or maintains covered information.” Under Sec. 45.48.010 – .090, businesses and organizations that operate within the state of Alaska are required to provide citizens with data breach notifications in the event that their personal information is compromised through such an incident.
These notifications must be provided to consumers in written form and contain information detailing the categories of personal data that were disclosed in the data breach, among other specifics. Furthermore, in instances where more than 1,000 Alaskan residents are notified as a result of a data breach, the entity that experienced the breach is also responsible for notifying all consumer credit reporting agencies within the U.S., without undue delay. To this end, the following types of personal information are covered under Sec. 45.48.010 – .090 of the Alaska Personal Information Protection Act:
- Social security numbers.
- Drivers license and state identification card numbers.
- Financial account information.
- Debit and credit card numbers, as well as associated security and access codes.
- PIN numbers or passwords that would grant an individual access to another person’s financial account or information.
- Passwords, PINs, or other access information for financial accounts.
Sec. 45.48.600 – .690- Factual Declaration of Innocence After Identity Theft; Right to File Police Report
Sec. 45.48.600 – .690 of the Alaska Personal Information Protection Act pertains to identity theft. Under this provision of the law, victims of identity theft within the state are entitled to “petition the Alaska Superior Court for a declaration that the individual is factually innocent of the crime if the perpetrator was arrested, cited, or convicted of the crime. The court has broad discretion to make a determination based on declarations, affidavits, or other relevant material. This section also allows the Department of Law to establish and maintain a database of individuals who have been the victims of identity theft and who have been declared innocent of the crime.” What’s more, Sec. 45.48.600 – .690 also contains a provision that allows Alaskan residents to file a police report with local law enforcement authorities in instances where they have learned or have reason to believe that they have been the victim of identity theft, irrespective of the jurisdiction in which the alleged or suspected actions took place.
Sec. 45.48.500 – .590 – Disposal of Records
Sec. 45.48.500 – .590 of the Alaska Personal Information Protection Act covers the disposal of organizational and government records with the state. Under Sec. 45.48.500 – .590, businesses and government agencies within Alaska are required to develop and maintain reasonable security measures for the purposes of preventing the “unauthorized access to, or use of records” when disposing of records containing personal information. In order to comply with this requirement, said entities must implement policies and procedures that require the destruction of personal information after the purposes for which said information has been used have been fulfilled.
Alternatively, businesses and organizations within the state can also outsource this duty to a third party, as the law states that “a business or government agency is not liable for the disposal after relinquishing control of the records to a third party that is in the business of record destruction.” In terms of the enforcement of the law, businesses and organizations that violate Sec. 45.48.500 – .590, along with any of the other various provisions established by the Alaska Personal Information Protection Act, are subject to “a $3,000 penalty plus actual economic damages, court costs, and full reasonable attorneys fees.”
While the Alaska Personal Information Protection Act does not provide Alaskan citizens with comprehensive personal data protection, the law does provide said citizens with the means to seek justice and compensation in the event that certain categories of personal information concerning them are improperly disclosed or accessed. In addition to provisions regarding data breaches, identity theft, and personal records, the law also contains sections that cover credit reporting matters, the truncation of debit and credit information, and the protection of social security numbers. As such, Alaskan citizens can rest assured that these forms of personal data and information are protected under the law of their state.