Wednesday, August 06, 2008

Alaska Enacts Personal Information Protection Act

This posting was written by Thomas Long, Editor of CCH Privacy Law in Marketing.

A new Alaska law providing state residents with protection from identity theft and breaches of data security was signed by Governor Sarah Palin on June 13.

The Alaska Personal Information Protection Act (House Bill No. 65, Chapter 92) contains provisions relating to security freezes, data breaches, protection of Social Security Numbers, and disposal of records. The law will take effect on July 1, 2009, although state agencies may adopt regulations to comply with the statute’s requirements for the use of Social Security Numbers by state agencies.

Breach Notification

The new law requires businesses and government agencies that own or license the personal information of any resident of Alaska to notify the resident if the entity or agency discovers or is notified of a breach of security or its information system. The notice must be made without unreasonable delay.

If more than 1,000 residents are affected, the entity or agency must also notify all consumer credit reporting agencies of the timing, distribution, and content of the notices sent to residents.

Violations are subject to a civil penalty of up to $500 per resident who was not notified of the breach, up to a maximum of $50,000. Violations by nongovernmental information collectors are also unfair or deceptive practices under the Alaska Unfair Trade Practices and Consumer Protection Act, although private plaintiffs may recover actual economic damages of up to only $500.

Use of Social Security Numbers

The law also limits use of Social Security Numbers by private persons and government agencies. Persons doing business in the state may not request or collect Social Security Numbers, sell or rent them, or disclose them to third parties unless otherwise authorized by law.

Disposal of Records

To further limit the risk of identity theft, businesses and government agencies disposing of records that contain personal information must take all reasonable measures necessary to protect against unauthorized access to or use of the records. Such measures include burning, pulverizing, or shredding paper documents and destroying or erasing electronic media so that the personal information cannot be read or reconstructed.

Violators will be subject to a civil penalty of up to $3,000. Individuals damaged by a failure to properly dispose of records will be able to bring a civil action for actual economic damages, attorneys’ fees, and court costs.

Text of the Personal Information Protection Act will be reported at CCH Privacy Law in Marketing ¶30,200. It appears here on the Alaska State Legislature’s website.

No comments: