Organizations and Vendors are required to implement and maintain security measures to protect the sensitive personal information during and after disposal to prevent a breach. Organizations must use due diligence by entering into a written contract with Vendors engaged in the business of record destruction to dispose of records containing personal information. Vendors must be assessed by Organizations to show compliance with mandated protections during disposal.

If breach notification is required to more than 1,000 residents, it must be reported, without unreasonable delay, to all consumer reporting agencies with specific information. Breach of security regulations in Alaska cover unauthorized acquisition of personal information held in either electronic or paper form. If an organization investigates a suspected breach and reasonably determines that affected consumers are unlikely to suffer harm, consumer notification is not required. However, notification must be sent to the state Attorney General stating such determination, and the organization must maintain internal documentation for at least 5 years.

If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

If Organization relinquishes control by contract with Vendor for disposal, Organization is no longer liable for the disposal of the records. Vendors must notify Organizations upon discovery of a breach or suspected breach. The Organization is responsible for submitting any required regulatory reporting and consumer notifications. Vendors must cooperate with Organizations and provide all necessary information about a breach incident.

Organizations may be fined or penalized for Vendor violations. An individual, an organization, or a governmental agency that knowingly violates the disposal regulations may be fined up to $3,000. An individual harmed by violations of the disposal regulations may bring a civil action to recover actual damages, costs and fees. Organizations must protect an individual’s social security number and credit card number through truncation or face a state civil penalty of up to $3,000 in damages, as well as an individual action for actual economic damages, costs and fees.