Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • A breach includes personal information in any form and however aquired
  • Limited methods of notification delivery
  • Mandatory written report to attorney general
  • Consumer reporting agencies may need notified
  • Data owners are responsible for reporting and notifications may be required with specific information
  • PII protection and disposal laws
  • Violations can add up to $50,000 plus damages or enjoinment

Who Me?


Alaska breach and notification laws may apply if you:

  • Are a person doing business or government agency that owns or licenses PII of an Alaskan resident
  • Have more than 10 employees
  • Maintain PII that you do not own and cannot license to another entity

 There are exemptions.

Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply.

What is PII?


PII relevant to a breach in Alaska include a person's name plus one or more of the following:

  • Social Security Number
  • Driver license or state identification number
  • Account number or credit  or debit card number
  • If an account can only be accessed with a personal code, the number in (c) and the personal code, meaning a security or access code, a pin or a password
  • Passwords, personal identification numbers (PIN), or other access codes for financial accounts



An applicable statute includes, but is not limited to:

  • Alaska Statutes (AS)  / Title 45. Trade And Commerce / Chapter 45.48.
  • Personal Information Protection Act / 45.48.010 - 45.48.090


A few of these laws include, but are not limited to:

  • Alaska Statutes / Title 45 - Trade and Commerce / Chapter 45.48 Personal Information Protection Act / Article 3 Protection of Social Security Number / Sec. 45.48.400 - 45.48.480
    • Article 4 Disposal of Records /
      • 45.48.500 Disposal of Records
      • Sec. 45.48.510. Measures to protect access
      • Sec. 45.48.520. Due diligence
    • Article 6 Truncation of card information / Sec. 45.48.750



Government agency information collectors: Violators may be subject to a civil penalty of $500 for every resident who was not notified, up to $50,000, and may be enjoined. The Department of Administration may enforce the penalties.

All other information collectors: Violations are considered an unfair or deceptive act or practice. Violators may be subject to a civil penalty of $500 for every resident who was not notified, up to $50,000, and damages may be awarded against them, in accordance with multiple statutes.



When considering reporting requirements, it would include, but not be limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If any kind of encryption key or password was accessed or acquired
  • If there is reasonable likelihood of harm


Notification may be delayed if law enforcement advises it will interfere with an investigation, otherwise the notification must be made in the most expedient time possible and without unreasonable delay.


Requires detailed information and potential provision of services

Notification may be required for all consumer reporting agencies and credit bureaus. Mandatory report to the state attorney general in writing.

Disclosure may be made by written notice or electronically (with stipulations). A substitute notice, with specific requirements, may be sent if the cost of the notice exceeds $150,000 or the persons notified exceeds 300,000 or they do not have sufficient contact information.

Contact the Privacy Experts at CSR