Can I ignore my obligations as a service provider with access to personal information in Alaska? What are the requirements?

Based on the context documents, as a service provider with access to personal information in Alaska, you cannot ignore your obligations under the Alaska Personal Information Protection Act ^[1.2]. If you own or license personal information in any form that includes personal information on a state resident, and a breach of the security of the information system that contains personal information occurs, you must disclose the breach to each state resident whose personal information was subject to the breach ^[1.1][1.3]. An information collector shall make the disclosure required in the most expeditious time possible and without unreasonable delay, except as provided in AS 45.48.020 and as necessary to determine the scope of the breach and restore the reasonable integrity of the information system ^[1.1].

Disclosure is not required if, after an appropriate investigation and after written notification to the attorney general of this state, the covered person determines that there is not a reasonable likelihood that harm to the consumers whose personal information has been acquired has resulted or will result from the breach ^[1.1]. The determination shall be documented in writing, and the documentation shall be maintained for five years ^[1.1].

If a breach of the security of the information system containing personal information on a state resident that is maintained by an information recipient occurs, the information recipient is not required to comply with AS 45.48.010 — 45.48.030. However, immediately after the information recipient discovers the breach, the information recipient shall notify the information distributor who owns the personal information or who licensed the use of the personal information to the information recipient about the breach and cooperate with the information distributor as necessary to allow the information distributor to comply with (b) of this section ^[1.5].

In case of violation of AS 45.48.010 — 45.48.090 with regard to the personal information of a state resident, the information collector is liable to the state for a civil penalty of up to $500 for each state resident who was not notified under AS 45.48.010 — 45.48.090, but the total civil penalty may not exceed $50,000 ^[1.6].

Therefore, you cannot ignore your obligations as a service provider with access to personal information in Alaska. If a breach of the security of the information system containing personal information on a state resident occurs, you must disclose the breach to each state resident whose personal information was subject to the breach. Failure to comply with the Alaska Personal Information Protection Act may result in civil penalties.

Source(s):

• [1.1] Disclosure of breach of security.
• [1.2] Short title.
• [1.3] Disclosure of breach of security.
• [1.5] Treatment of certain breaches.
• [1.6] Violations.

Jurisdiction

Alaska

• Privacy