Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I avoid having a data breach response plan in Alaska? What are the requirements?

Data Breach Response Plan Requirements in Alaska

To comply with Alaska law, entities that own or license personal information of state residents must have a data breach response plan that includes an incident command system [1.1][2.3][2.4][1.3]. If a breach of the security of the information system containing personal information on a state resident that is maintained by an information recipient occurs, the information recipient is not required to comply with AS 45.48.010 — 45.48.030. However, immediately after the information recipient discovers the breach, the information recipient shall notify the information distributor who owns the personal information or who licensed the use of the personal information to the information recipient about the breach and cooperate with the information distributor as necessary to allow the information distributor to comply with (b) of this section [2.2][2.4].

Therefore, entities cannot avoid having a data breach response plan in Alaska if they own or license personal information of state residents. The plan must include an incident command system and comply with AS 45.48.010 — 45.48.030 in case of a breach.

Disclosure of Breach of Security

If a covered person owns or licenses personal information in any form that includes personal information on a state resident, and a breach of the security of the information system that contains personal information occurs, the covered person shall, after discovering or being notified of the breach, disclose the breach to each state resident whose personal information was subject to the breach [2.1].

Allowable Delay in Notification

An information collector may delay disclosing the breach under AS 45.48.010 if an appropriate law enforcement agency determines that disclosing the breach will interfere with a criminal investigation. However, the information collector shall disclose the breach to the state resident in the most expeditious time possible and without unreasonable delay after the law enforcement agency informs the information collector in writing that disclosure of the breach will no longer interfere with the investigation [2.5].

Notification of Certain Other Agencies

If an information collector is required by AS 45.48.010 to notify more than 1,000 state residents of a breach, the information collector shall also notify without unreasonable delay all consumer credit reporting agencies that compile and maintain files on consumers on a nationwide basis and provide the agencies with the timing, distribution, and content of the notices to state residents [2.6].

In summary, entities that own or license personal information of state residents in Alaska cannot avoid having a data breach response plan. The plan must include an incident command system and comply with AS 45.48.010 — 45.48.030. If a breach occurs, the covered person shall disclose the breach to each state resident whose personal information was subject to the breach. An information collector may delay disclosing the breach if an appropriate law enforcement agency determines that disclosing the breach will interfere with a criminal investigation. If the information collector is required to notify more than 1,000 state residents of a breach, the information collector shall also notify all consumer credit reporting agencies that compile and maintain files on consumers on a nationwide basis.

Source(s):
Jurisdiction

Alaska